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S. 798, THE PROMOTE RELIABLE ON-LINE 
TRANSACTIONS TO ENCOURAGE COM- 
MERCE AND TRADE (PROTECT) ACT OF 1999 


THURSDAY, JUNE 10, 1999 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The committee met, pursuant to notice, at 9:32 a.m. in room SR- 
253, Russell Senate Office Building, Hon. Conrad Burns presiding. 

Staff members assigned to this hearing: David Crane, Republican 
professional staff; and Gregg Elias, Democratic senior counsel. 

OPENING STATEMENT OF HON. CONRAD BURNS, 

U.S. SENATOR FROM MONTANA 

Senator Burns. We will call the committee to order this morning, 
and thank you for coming. We will try to get started on time here. 

Let me apologize for the chairman of the full committee, John 
McCain. He has a bill on the floor, the Y2K bill. I told him that 
he probably put the fox in charge of the henhouse here when he 
lets me chair this hearing, but it is something that I have been 
very much interested in for a long time. 

Today’s hearing will focus specifically on the “PROTECT Act of 
1999.” This bill reflects a number of discussions the full Committee 
chairman and I have had about the importance of encryption in the 
digital age. I would also like to thank Senator Wyden and Senator 
Abraham for their instrumental role in the creation of this pro- 
encryption legislation that I am confident will be supported by the 
large majority of this committee. 

Along with several other members of this committee, I have long 
advocated the enactment of legislation that would facilitate the use 
of strong encryption. Strong encryption is necessary if we are to 
promote electronic commerce, secure our confidential business and 
our sensitive personal information, to prevent crime and to protect 
our national security by protecting our commercial information sys- 
tems. 

Beginning in the 104th Congress, I introduced legislation that 
would ensure the private sector continues to take the lead in devel- 
oping innovative products to protect the security and confiden- 
tiality of electronic information, including the ability to export such 
American products, and I believe PROTECT accomplishes these im- 
portant objectives. Specifically, the bill does the following: 

It permits the immediate exportability of strong encryption prod- 
ucts whenever foreign products contain the same strength of 

( 1 ) 
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encryption are generally available. It prohibits domestic controls on 
the use of products using strong encryption. It also guarantees that 
American industry will continue to be able to come up with new 
and innovative products. 

It immediately decontrols encryption products using key lengths 
of 64 bits or less. It permits the immediate exportability of 128-bit 
encryption in all encryption products to a broad group of users. 

Today we are in a world that nearly everyone has a computer 
and those computers are for the most part connected to one an- 
other. In light of that fact, it is becoming more and more important 
to ensure that our communications over these computer networks 
are conducted in a secure way. 

It is no longer possible to say that when we move into the infor- 
mation age we will secure these networks, because we are already 
there. We use computers in our homes and our businesses in ways 
that we could not imagine only 10 years ago. These computers are 
connected through networks, making it easier to communicate than 
ever before. 

This phenomenon holds promise for transforming life in a bunch 
of areas in our country and especially in Montana, where health 
care and state-of-the-art education can be delivered over networks 
to people located in remote population centers. These new tech- 
nologies can improve the lives of real people, but only if the secu- 
rity of information that moves over these networks is safe and reli- 
able. 

The problem today is that our computer networks are not as se- 
cure as they could be. It is fairly easy for amateur hackers to break 
into our networks. The newspaper has been full of those kind of ac- 
tivities for the last year. They can intercept information, steal 
trade secrets and intellectual property, or even alter medical 
records. 

The solution to this problem is to let individuals and businesses 
alike take steps to secure that information. Encryption is a vital 
tool which helps to protect the integrity of these electronic net- 
works which have made so many modern wonders available in this 
age. 

I look forward to the testimony of our witnesses today because 
this is a critical issue. 

Now I would like to recognize the Senator from Massachusetts, 
Senator Kerry, and thank you for coming this morning. 

[The prepared statement of Senator Burns follows:] 

Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana 

I am pleased to chair today’s hearing in the Full Committee, which is on a topic 
critical to the future of this country — reforming our country’s severely outdated 
encryption policy. Today’s hearing will focus specifically on the “PROTECT Act of 
1999.” This bill reflects a number of discussions the Full Committee Chairman and 
I have had about the importance of encryption in the digital age. I would also like 
to thank Sen. Wyden and Sen. Abraham for their instrumental role in the creation 
of this pro-encryption legislation that I am confident will be supported by a large 
majority of this Committee. 

Along with several other members of this Committee, I have long advocated the 
enactment of legislation that would facilitate the use of strong encryption. Strong 
encryption is necessary to promote electronic commerce, secure our confidential 
business and sensitive personal information, prevent crime and protect our national 
security by protecting our commercial information systems. Beginning in the 104th 
Congress, I introduced legislation that would ensure that the private sector con- 
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tinues to take the lead in developing innovative products to protect the security and 
confidentiality of our electronic information including the ability to export such 
American products. I believe PROTECT accomplishes these important objectives. 

Specifically, the bill does the following: 

• Permits the immediate exportability of strong encryption products whenever 
foreign products containing the same strength of encryption are generally available; 

• Prohibits domestic controls on the use of products using strong encryption; 

• Guarantees that American industry will continue to be able to come up with 
innovative products; 

• Immediately decontrols encryption products using key lengths of 64 bits or less; 
and 

• Permits the immediate exportability of 128 bit encryption in all encryption 
products to a broad group of users. 

Today, we are in a world where nearly everyone has a computer and that those 
computers are, for the most part, connected to one another. In light of that fact, it 
is becoming more and more important to ensure that our communications over these 
computer networks are conducted in a secure way. It is no longer possible to say 
that when we move into the information age, well secure these networks, because 
we are already there. We use computers in our homes and businesses in a way that 
couldn’t have been imagined 10 years ago, and these computers are connected 
through networks, making it easier to communicate than ever before. This phe- 
nomenon holds the promise of transforming life in states like Montana, where 
health care and state-of-the-art education can be delivered over networks to people 
located far away from population centers. These new technologies can improve the 
lives of real people, but only if the security of information that moves over these 
networks is safe and reliable. 

The problem today is that our computer networks are not as secure as they could 
be. It is fairly easy for amateur hackers to break into our networks. Hackers can 
intercept information, steal trade secrets and intellectual property or even alter 
medical records. The solution to this problem is to let individuals and businesses 
alike to take steps to secure that information. Encryption is a vital tool which helps 
to protect the integrity of these electronic networks which have made so many won- 
ders of the modern age possible. 

I look forward to the testimony of the witnesses on this critical issue. 

Thank you. 

STATEMENT OF HON. JOHN F. KERRY, U.S. SENATOR 
FROM MASSACHUSETTS 

Senator Kerry. Mr. Chairman, thank you very much for your 
continued efforts in this field. 

I want to say up front, I need to go from here to the export re- 
gime hearing in the Banking Committee, where we have Messrs. 
Cox and Dicks. So I apologize for not being able to stay throughout 
this, but my staff will. 

Let me begin by saying that last session the Commerce Com- 
mittee became the first Senate committee to forge a consensus on 
this question of some kind, at least, and to report out comprehen- 
sive legislation. I am glad we are back here now and it is my hope 
that we can make real progress this year to develop a sensible 
encryption framework for the 21st century. 

We have been part of this debate for some time now. I serve on 
the Intelligence Committee, the Foreign Relations Committee, this 
committee, and the Banking Committee, all of which touch on it 
one way or the other. I am a former prosecutor, so I have been par- 
ticularly sensitive to some of the warrant issues, eavesdropping 
issues, intelligence-gathering issues, and so forth. 

For the past several years, frankly, we have received relatively 
conflicting information from various interests in the debate, and I 
think, to our frustration, at least to my frustration, Mr. Chairman, 
we have been primarily debating the current state of export mar- 
kets. We have debated whether there is a mature market abroad 
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for export products and whether we can use regulatory controls to 
shape that market. 

I have adopted a relatively cautious approach, for a lot of very 
obvious reasons. I am sensitive to our national security needs and 
I have been very hopeful that the long and many discussions of the 
White House and various entities on this would retard the spread 
of encryption and actually shape market demand abroad. 

I have a change of mind at this point and I want to express that. 
I think it is time to reframe the debate on encryption. As time goes 
on and availability abroad of strong encryption products continues 
to grow, it becomes more and more difficult to accept that we alone 
can control the development of this marketplace. If we cannot 
shape the development of the marketplace and have not been able 
to reach an adequate consensus in this country to do so in the last 
few years, then we are forced to a point in time, which I think we 
are at now, where we have to examine in a responsible way how 
to adjust our regulatory regime. 

For a long time we have been debating, Mr. Chairman, whether 
to relax export controls to permit the export of stronger encryption 
products. I think that question has to change. It is now time to dis- 
cuss how we go about creating a new scheme that recognizes the 
realities of the new marketplace. 

I ask unanimous consent that an article from today’s New York 
Times, “Encryption Products Found to Grow in Foreign Markets” 
by John Markoff, be made part of the committee record. 

Senator Burns. Without objection. 

[The material referred to follows:] 

The New York Times 

ENCRYPTION PRODUCTS FOUND TO GROW IN FOREIGN MARKETS 
BY JOHN MARKOFF 

Commercial data-scrambling technology that is made outside the United States 
has become significantly more available in the last 18 months, according to re- 
searchers at George Washington University. 

The researchers’ report, which is to be presented today in testimony before the 
Senate Commerce Committee, is part of a growing body of evidence suggesting that 
the Government’s efforts to restrict the spread of “strong encryption” technology for 
secret electronic communications have largely failed. 

“The Government must acknowledge that there are foreign produces, and it must 
concede that they are of comparable quality to U.S. technology,” said Bruce Heiman, 
legislative counsel for Americans for Computer Privacy, the Washington-based com- 
puter industry lobbying group that financed the study. 

The Government has long imposed export curbs on encryption tecnologies, invok- 
ing national security and crime prevention concerns. Officials have argued that 
scrambled messages would improve the ability of terrorists and other criminals to 
organize and plan illegal operations. 

The new data, though, indicate that 805 encryption products are now available 
in 35 countries outside the United States — a 22 percent increase since December 
1997. Moreover, 167 products are based on encryption algorithms considered too 
strong to be cracked by even the most powerful computers. 

“In addition to the absolute increase in the number of products, we’ve also found 
that six new countries have companies that are now selling encryption technology,” 
said Lance Hoffman, director of the Cyberspace Policy Institute at George Wash- 
ington University. 

He pointed to companies like Cybernetica in Estonia that use the United States 
export restrictions as a marketing tool. 

“Cybernetica advertises: ‘Strong crypto. Long keys. No export restrictions,”’ he 
said. 
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The report also asserts that the United States has lost its monopoly on the basic 
mathematical technologies underlying data encryption. 

For example, of the 15 algorithms now being considered by the National Institute 
of Standards for a new American encryption standard, 10 have been developed out- 
side the United States. 

The report does not offer evidence of actual use of encryption systems abroad. But 
Mr. Hoffman said researchers had compiled material suggesting that the most pow- 
erful encryption software was now readily accessible internationally. 

“I’m holding in my hands a computer magazine we found on a French newsstand,” 
he said in a phone interview yesterday. The publication. Magazine Dot Net, con- 
tained a CD-ROM with encryption programs including Pretty Good Privacy and a 
program called Scramdisk that features advanced encryption algorithms like DES, 
Triple DES, Blowfish and Idea — any of which would present formidable challenges 
to code breakers in the Eederal Government. 

http ://www. n3dimes . com 

Senator Kerry. Let me just share very quickly. The new data 
indicates that 805 encryption products are now available in 35 
countries outside the United States, a 22 percent increase since De- 
cember 1997. Moreover, 167 products are based on encryption algo- 
rithms considered too strong to be cracked by even the most power- 
ful computers. In addition to the absolute increase in the number 
of products, we have also found that six new countries have compa- 
nies that are now selling encryption technology. 

One of them, Cybernetica in Estonia, uses the U.S. export re- 
strictions as a marketing tool: “Cybernetica advertises ‘Strong 
crypto, long keys, no export restrictions.’” The article goes on, Mr. 
Chairman. 

I am pleased to join Chairman McCain as an original co-sponsor 
of the PROTECT Act of 1999. The bill is an important first step 
that recognizes that as the Internet becomes more of a presence in 
global commerce there have to be guarantees and assurances that 
business and personal information remains confidential. 

We have to also continue to recognize that U.S. companies are 
leaders in creating encryption technology and these companies are 
integral to our economy. We are debating a great deal now about 
the impact of China stealing secrets and where the long-term rela- 
tionship may go. Mr. Chairman, I am persuaded, as I have been 
for several years, but I think for some time we have held out hope 
about our ability to control and shape the market. I am persuaded 
that the national security interest of the country is not only af- 
fected by the sort of law enforcement/security side of this, but it is 
also affected by the long-term economic side of it. 

It seems to me that it is important for U.S. technology to be out 
there, for people to be using it, and that there are certain security 
values inherent in that happening. 

The U.S. information technology companies have been deeply 
frustrated by what they perceive as excessive stringent controls on 
the export of their encryption products. Although the United States 
is the leader in producing high quality strong encryption products, 
other countries are increasingly doing so. We have to recognize that 
reality and understand that export controls are not going to stop 
the spread of encrypted products and, importantly, controls that do 
not recognize this reality put our software industry at a disadvan- 
tage as it tries to compete in the global marketplace and has the 
potential to put our security at risk. 
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Encryption is essential to hundreds of billions of dollars of e-com- 
merce. It is crucial to electronically transferred funds and to overall 
use of the Internet, including e-mail, and the United States must 
have a powerful presence in that future development. 

So I am open to arguments regarding whether we expand them 
even further than the PROTECT Act, b^ut I believe that is an im- 
portant first step and I am hopeful we can find a responsible ap- 
proach that would allow us to balance some of the other interests. 

I would simply ask witnesses to perhaps — I am sure they will be 
asked this and address it: What happens with respect to foreign 
companies filling the gap and what the relationship of that is to 
our national security if foreign encryption is produced worldwide 
and we are outside of that loop?; and also whether it makes sense 
for our policy to work in a way that is increasingly putting the 
United States’ interests within the field of commerce at a disadvan- 
tage. 

Also, there are other articles regarding other types, the Quantum 
code and other approaches to encryption, which raise a whole lot 
of issues about where we may be heading in the long run here and 
what we can control in terms of the market. 

So Mr. Chairman, I think we are at a very important juncture 
and I thank you for having this hearing today and proceeding for- 
ward. 

Senator Burns. Thank you. We always like conversions. 

Senator Kerry. Beware of the convert. The zeal of the convert 
is always the worst. 

Senator Burns. I know. 

Senator, I appreciate your words today and I think as far back 
as 1994 and 1995, where we had security questions. 

Before I recognize Senator Ashcroft, I want to make it pretty 
clear that we should be as policymakers giving our security people 
the funds and resources that their technology can stay maybe a 
quarter step ahead of the technology that is generally accepted 
around the world. I think there we have fallen down a little bit. 

But I think our security people can do the job that they are paid 
to do and do a great job of it, but we have got to give them the 
funds in order for them to adapt, to go into new technology, be- 
cause Moore’s Law has taken over here. Our technology is going to 
go. We have got to make sure that we take care of our security peo- 
ple and they can stay with it. That is where we should be focusing 
our attention, I think. 

Senator Ashcroft. 

STATEMENT OF HON. JOHN ASHCROFT, 

U.S. SENATOR FROM MISSOURI 

Senator Ashcroft. Thank you, Mr. Chairman. I want to thank 
the Senator from Montana for his leadership in this area. Leader- 
ship is not finding out where people already are and going and 
standing at the front of the line. Leadership is finding out where 
we need to go and helping people understand how to get there, and 
certainly you have done that, especially as it relates to this issue. 

I want to thank the chairman of this committee for having this 
hearing today to address an issue that I believe is central to the 
future of our country’s ability to remain a worldwide leader in elec- 
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tronic technology. That is the development and the availability of 
data encryption technology. 

Encryption of sensitive electronic data is essential to our modern 
economy. State and national infrastructures, financial transactions, 
and of course the burgeoning field of Internet commerce all depend 
on the ability of companies, institutions, and individuals to securely 
transmit electronic data, and American products are at the fore- 
front of this industry. 

I might add that if American products are not at the forefront 
of this industry, other products will be at the forefront of this in- 
dustry. 

For years now, since before I first came to the Capitol, American 
manufacturers of encryption technology have been hamstrung in 
their efforts to compete in the global marketplace regarding these 
products by export controls that reflect a complete misunder- 
standing of the incredibly dynamic and fluid nature of encryption 
technology. We have tried for over 4 years to remedy that situation. 

I first introduced the E-PRIVACY bill in the last Congress and 
intend to reintroduce it shortly in this Congress. But unfortunately, 
nothing has been accomplished by way of assistance to law enforce- 
ment and to industry or, most importantly, to the users of 
encryption in this country. 

Unfortunately, a significant barrier to progress on this issue has 
been the Administration, which has taken an active and open posi- 
tion against permitting the export of encryption technology and in- 
deed a fairly hostile view to the unregulated domestic use of 
encryption. The Administration bases its position on the grounds 
that robust encryption allegedly presents risks to law enforcement 
and national security, a view that I think will be shown to be mis- 
taken by today’s testimony. We certainly have endured national se- 
curity risks, but it has not been from the industry’s development 
of encryption. 

In addition, there has not always been agreement here in Con- 
gress about the need to free our technology industry from these ex- 
port restrictions. I am happy to note that this appears to have 
changed. The chairman’s PROTECT Act which we are here to dis- 
cuss, demonstrates that there is a growing consensus that the Ad- 
ministration is mistaken and that deregulation of encryption is 
necessary in order for us to maintain our leadership position in this 
industry, and I want to commend the chairman for helping us to 
build that consensus. 

I think that the PROTECT Act is a big step in the right direction 
on encryption. In fact, it shares many of the same principles and 
provisions included in my E-PRIVACY bill. However, I do think 
that the PROTECT Act needs to go further in two ways. 

First, the PROTECT Act needs to reflect the lightning-fast na- 
ture of development in this industry and institute export relief that 
will not make the products eligible for decontrol obsolete by the 
time the approval process is complete. The Administration has long 
taken the route of regulating encryption exports based on the bit 
length of the product, with little regard to the current state of the 
technology. It began with permitting the export of 40 -bit technology 
7 years ago and only agreed last fall to increase the limit to 56- 
bit technology. Of course, the standard for generally available prod- 
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ucts worldwide is already 128-bit technolo^. That is where the 
competition is. So the Administration’s position is already sorely 
outdated. 

In fact, months ago I came to a meeting of this committee with 
an advertisement from the Internet which was from the Siemens 
company in Germany advertising robust 128-bit encryption, saying 
that you cannot get this from a U.S. manufacturer, at least some- 
one overseas could not. The advertisement also indicated, however, 
that if you buy this you can use it in the United States and you 
can use it overseas as well. So if you want to have robust 
encryption, buy it from the Germans, from Siemens. 

The Administration has decided to tie the hands of the U.S. 
encryption industry. To me that is a disaster. But it is also com- 
pounded by people beginning to develop relationships with foreign 
software providers as a result of the unavailability of 128-bit or ro- 
bust encryption on the part of U.S. providers of software. 

To see the Germans eagerly promoting this potential and to have 
people from my own State of Missouri say to me, “John, we have 
an office in Singapore” — this happened to me — we have not been 
able to speak with them confidentially and communicate with them 
and the government is making it impossible for us to send the 
encryption that we can use domestically. We cannot send it to our 
office in Singapore because we are ineligible to export it. 

I do not want that situation to be — well, I just do not want the 
situation to be such that I have to say, “Well, go to Siemens in Ger- 
many, from Siemens you can buy the encryption that can be sent 
into the United States and from Siemens in Germany it can be sent 
to Singapore, so you can have your cake and eat it, too, by dealing 
with a non-domestic firm.” 

For us to have a policy which provides for the slitting of our own 
throats in a technology arena that is developing at a rapid pace is 
simply unwise. I think it is foolhardy. If we are to mark the next 
century as an American century, or even to celebrate the next week 
as high technology week in the Senate, we must be forward- 
thinking and acting. 

The PROTECT Act deregulates products up to 64 bits. That is a 
good start. The problem is that the Act delays general decontrol of 
128-bit technology until 2002, by which time it will almost cer- 
tainly be as obsolete as 56-bit encryption is today. In the interim, 
PROTECT permits individual exceptions for higher bit technology 
export, but it creates a regulatory approval board and a process 
that can take up to 60 days to determine whether a product is al- 
ready generally available, something that, quite frankly, can be de- 
termined by surfing the Internet for a little while, I mean mo- 
ments. 

With all due respect, this process is too long, which is why in the 
E-PRIVACY bill we give the administration a one-time 15-day re- 
view of products that are generally available before they are per- 
mitted to export them. 

I urge my colleagues to press our panelists on the second panel 
for answers on whether they can remain competitive if we wait as 
long as the PROTECT Act provides. 

The second area where I think the PROTECT Act can go farther 
is the explicit delineation of the rights and procedural protections 
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of Americans in their ability to use encryption and to be secure in 
their use of enciypted data. While the PROTECT Act clearly af- 
firms this right, it is relatively silent on the balance of procedural 
protections between Americans’ privacy interests and legitimate 
law enforcement efforts. I do not think we can afford to be silent 
on this issue. 

The administration and the FBI have over time indicated sup- 
port for language that would mandate key recovery for all domestic 
encryption and alternatively support several suggested approaches 
that would make using domestic key escrow a practical, although 
not legal, necessity. Director Freeh has gone so far as to mention 
the need for a new fourth amendment that considers the “realities” 
of the digital age. 

I think we need a new and improved approach to domestic 
encryption, not a new updated version of the fourth amendment, 
and I for one am not eagerly awaiting the FBI’s new release of the 
fourth amendment 2.0 or first amendment 98. I am, however, eager 
to hear what the Administration’s current position is on key recov- 
ery and key escrow. 

My own E-PRIVACY bill sets out specific procedures for bal- 
ancing the legitimate interests of law enforcement with the privacy 
rights of Americans, and I hope that any final legislation passed 
by the Senate would include such provisions. Those are my two ob- 
servations. 

Again, I want to say that the PROTECT Act is a strong step in 
the right direction toward protecting American privacy rights and 
American industry, but I think it should go further. 

I look forward to hearing from our panelists today and engaging 
them in serious discussion on these issues, and I thank the gen- 
tleman from Montana, whose leadership in this area has been very 
valuable to America. 

Senator Burns. Thank you very much. Senator. It has been an 
issue that both of us have been around a day or two, so we are not 
complete strangers to it. 

Congressman Goodlatte is on his way. In the meantime — oh, he 
is here. 

Mr. Goodlatte. Hiding. 

Senator Burns. You are still on your way, right? 

Senator Ashcroft. On his way to the microphone. 

Senator Burns. That is right, that is right. 

Congressman, we thank you. You have been a great leader on 
this issue in the House and we appreciate your coming over this 
morning and offering your thoughts on this piece of legislation. 

STATEMENT OF HON. BOB GOODLATTE, U.S. REPRESENTATIVE 
FROM THE STATE OF VIRGINIA 

Mr. Goodlatte. Well, Senator, thank you for the opportunity to 
testify before the Senate Commerce Committee today. I want to 
commend you and Chairman McCain and Senator Ashcroft for your 
hard work in this area. I was delighted to hear the comments of 
Senator Kerry a little while ago. I had brought the same New York 
Times article with me, so I will not need to ask that it be made 
part of the record. 
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But I do want to point out that one of the items in here that he 
did not mention is that the United States has lost its monopoly on 
the basic mathematical technologies underlying data encryption. 
For example, of the 15 algorithms now being considered by the Na- 
tional Institute of Standards for a new American Encryption Stand- 
ard, 10 have been developed outside of the United States. If we do 
not act on this soon, we are going to be left behind in that regard. 

I also would ask that the committee consider making part of the 
record an article by Congressman Chris Cox, who is, as you know, 
the chairman of the committee that just released the Cox report 
and who is a strong supporter of changes in our export controls 
laws related to encryption and a co-sponsor of our legislation in the 
House, the SAFE Act. He has an article that was published in the 
San Jose Mercury News entitled “China: Export of Technology 
Would be Liberating Force.” I think it makes a very strong case for 
why, while export controls are appropriate in some sectors, liberal- 
izing our export controls on encryption would be of great benefit to 
our nations. 

Senator Burns. That will be made part of the record. 

[The material referred to follows:] 

China: Export of technology Would be Liberating Force 

(By Christopher Cox) 

American Policy toward the People’s Republic of China should proceed from this 
central premise: It is our sincere hope for the Chinese people that they will no 
longer live under a communist government. 

To this end, America’s — and California’s — world leadership in high-tech enterprise 
promises far more than economic benefits. The export of these products to the Chi- 
nese people can be a great democratizing and liberating force. 

In January, the People’s Republic sentenced Lin Hai, a 30-year-old software exec- 
utive and Web page designer, to prison for supposedly “inciting subversion of state 
power.” His so-called “crime” consisted of exchanging e-mail addresses with an anti- 
communist group in America. 

But if Lin Hai had been able to keep the contents of his computer messages away 
from the prying eyes of the Ministry of State Security — using strong encryption in 
commercially available software — he would be a free man today. 

That is why America’s companies, the leaders in encryption technology, must be 
able to export their products to China and around the world. 

Strong encryption is — as Beijing’s communist leadership is well aware — a massive 
threat to totalitarian regimes and their government-maintained monopoly on infor- 
mation, because it permits individuals to communicate privately without fear of gov- 
ernment eavesdropping or interception. 

In this and the previous Congress, I have sponsored the Security and Freedom 
through Encryption Act, together with a broad coalition of Republican and Demo- 
cratic lawmakers, I disagree with the Clinton-Gore administration, and with Sen. 
Dianne Feinstein, that the current prohibition on American businesses exporting 
encryption software is necessary for our national security. 

Yet the Clinton-Gore administration would go beyond the current prohibition, en- 
dorsing not just restrictions on encryption exports, but also requiring every 
encryption program sold — even within the United States — to have a secret key to 
permit eavesdropping by law enforcement officials or foreign governments. 

The Clinton-Gore administration seems to place a higher priority on stopping the 
export of encryption software to the Chinese people than on preventing the theft of 
our nuclear weapons technology by the People’s Liberation Army. 

This is exactly backward. Rather than control commercially available computers, 
software and technology, we should safeguard our most critical military secrets. 

transfer of technology 

For the past nine months, I’ve chaired a congressional select committee inves- 
tigating the transfer of militarily sensitive technology to the People’s Republic of 
China. The committee’s classified report, unanimously approved by all five Repub- 
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licans and four Democrats, found overwhelming evidence that such transfers — in- 
cluding theft through espionage — have caused serious harm to U.S. national secu- 
rity, and continue to this day. 

I5ut some have inferred that this should mean clamping down on commercial ex- 
ports. To the contrary: The committee found that the current export-licensing proc- 
ess is riddled with errors and plagued by delays. It often does very little to protect 
our national security — while frequently doing a great deal to damage America’s com- 
petitiveness in world markets. 

The committee has therefore recommended streamlining export rules. The United 
States should provide a new “fast track” for most items, while focusing greater re- 
sources and expertise on the limited targets that we know from our intelligence are 
the subject of specific collection efforts by the People’s Republic of China and others. 

Trade in innovative technologies, goods and services can help undermine ineffi- 
cient state-run industries and bring hope of a better life to the Chinese people. 

In areas like transportation, telecommunications and financial services, it is the 
means by which communist China — whose economy is smaller on a per capita basis 
than Guatemala’s — can become a developed nation. 

In fields such as medicine, biotechnology and farming, U.S. trade offers hope for 
the desperately poor millions who are still China’s majority that they will be able 
to each and survive. 

Encouraging exports to China that promote individual freedom and well-being is 
in the United States’ national security interest. For this reason, in addition to allow- 
ing the export of encryption software, U.S. policy should focus on unleashing the 
Internet as an engine of freedom in China. 

Among the 1.2 billion people in the People’s Republic of China, only one in a thou- 
sand is an Internet user. But Internet use is growing at a rate that threatens the 
Communist Party’s grip on China. 

As Chinese journalist Sang Ye has observed: “New ways of thinking, of commu- 
nicating, of organizing people and information — the Net takes aim squarely at 
things that since Mao’s earliest days have been the state’s exclusive domain.” 

Today’s China’s communist dictatorship is working hard to re-route its citizens 
away from the information superhighway and onto the state-controlled “Intranet.” 
This new Intranet allows communication only among approved users who share 
communist-approved content. The Ministry of Post and Telecommunications super- 
vises and approves all networks, and its screens virtually all news and even finan- 
cial information that citizens may receive from foreign sources. 

While the Chinese Communist Party argues, on the Internet home page of the 
People’s Daily, that the open flow of communications would be destabilizing, Ameri- 
cans know from our own experience that technology is best used as a means to an 
end: a promise of greater freedom. 

The United States should move aggressively to frustrate the Chinese govern- 
ment’s censorship of the Internet by condemning it as a barrier to free trade, an 
impediment to joining the World Trade Organization, and a violation of the several 
human rights covenants it has signed. And we should encourage the construction 
of an expanded Internet architecture that frustrates censorship and control by re- 
pressive states. 

At the same time, the United States should work with all nations for the estab- 
lishment of the Internet as a global free-trade zone, which not only will make it in- 
creasingly difficult for governments including China’s to choke off access but also 
will pressure them further to reduce protectionist trade barriers. 

Finally, we should recognize that while our currently limited trade with China’s 
protectionist government may be better than nothing, the object of U.S. policy must 
be a liberalization of trade that is fundamentally at odds with the nation’s com- 
munist system. 


TRULY FREE TRADE 

Despite America’s free-trade policy, we still sell less to the billion-plus People’s 
Republic of China than to the 22 million people of Taiwan. Instead of business ven- 
tures being approved one at a time by the Communist Party’s Politburo, truly free 
trade means a billion Chinese interacting independently with a quarter-billion 
Americans. 

A policy toward the People’s Republic of China that frustrates this objective is 
both shortsighted and cruel. 

The recent public attention to espionage raises proper concerns about our lack of 
security, but it should not distract us from our objective of freedom for China’s peo- 
ple — a result that American technology exports can help bring about. 
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Today, we have the worst of both worlds: Military technology that the communist 
government can use to hold the Chinese people in terror is being stolen, while com- 
mercial technology that can liberate the Chinese people is delayed in the export- 
licensing bureaucracy. 

It’s time to focus not on whether to engage — we should all be agreed on that — 
but rather on the terms of engagement. We should have no illusions about with 
whom we are dealing. We should have no doubt about where our policy is taking 
us. Freedom — not engagement and possibly marriage to a communist dictatorship — 
is what our policy toward China should be seeking to achieve. U.S. Rep. Christopher 
Cox, R-Newport Beach, is chair of the House Select Committee on U.S. National Se- 
curity and Military-Commercial Concerns with the People’s Republic of Chirm. He 
wrote this article for the San Jose Mercury News Sunday Perspective section. 

Mr. Goodlatte. Thank you, Mr. Chairman. 

As you know, I have worked for many years on the encryption 
issue in the House. The legislation I have introduced in this Con- 
gress, H.R. 850, the Security and Freedom Through Encryption Act 
of 1999, currently has 257 co-sponsors, including a majority of both 
the Republicans and Democrats in the House and a majority of 
both the Republican and Democratic leadership. 

The SAFE Act has passed the House Judiciary Committee by 
voice vote and is now pending before the Committees on Inter- 
national Relations, Commerce, Armed Services, and Intelligence. 
Each of these additional committees is expected to act soon on the 
legislation and it is my hope that the SAFE Act will be considered 
by the House in the summer or early fall. 

Encryption has many benefits. First, it aids law enforcement by 
preventing piracy and white collar crime on the Internet. Several 
studies over the past few years have demonstrated that the theft 
of proprietary business information costs American industry hun- 
dreds of billions of dollars each year. The use of strong encryption 
to protect financial transactions and information would prevent 
this theft from occurring. 

With the speed of transactions and communications on the Inter- 
net, law enforcement cannot stop thieves and criminal hackers by 
waiting to react until after the fact. Only by allowing the use of 
strong encryption, not only domestically but internationally as well, 
can we hope to make the Internet a safe and secure environment. 

As the National Research Council’s Committee on National Cryp- 
tography Policy concluded: 

If cryptography can protect the trade secrets and proprietary information of busi- 
nesses and thereby reduce economic espionage, which it can, it also supports in a 
most important manner the job of law enforcement. If cryptography can help protect 
nationally critical information systems and networks against unauthorized penetra- 
tion, which it can, it also supports the national security of the United States. 

Second, if the global information infrastructure is to reach its 
true potential, citizens and companies alike must have the con- 
fidence that their communications and transactions will be secure. 

Third, with the availability of strong encryption overseas and on 
the Internet, the Administration’s export restrictions only serve to 
tie the hands of American business. Due in large part to these ex- 
port controls, foreign companies are winning an increasing number 
of contracts by telling prospective clients that American encryption 
products are weak and inferior, which is robbing our economy of 
jobs and revenue. I understand you are going to hear testimony 
further in regard to the new report mentioned in the New York 
Times article, which Senator Kerry made a part of the record. 
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In fact, one study, one noted study, found that failure to address 
the current export restrictions by the year 2000 will cost American 
industry $60 billion and 200,000 jobs. Under the current system, 
America is surrendering our dominance of the global marketplace. 

The SAFE Act remedies this situation by allowing the export of 
generally available American-made encryption products after a 15- 
day, one-time technical review. Additionally, the bill allows custom- 
designed encryption products to be exported after the same review 
period if they are commercially available overseas and will not be 
used for military or terrorist purposes. 

The SAFE Act enjoys the support of members, individuals, and 
organizations across the entire spectrum of ideological and political 
beliefs, not only because it is a common sense approach to solving 
a serious problem, but also because ordinary Americans’ privacy 
and security is being assaulted by this Administration. 

Amazingly enough, some in the Administration want to mandate 
a back door into people’s computer systems in order to access their 
private communications. In fact, some in the Administration have 
stated that if people do not voluntarily create this back door, they 
may seek legislation forcing them to give the Government access to 
their information by mandating a key recovery system requiring 
people to give the keys to decode their communications to a govern- 
ment-approved third party. This is the technological equivalent of 
mandating that the Government be given a key to every home in 
America. 

Mr. Chairman, I would also like to note that we will hear from 
Administration representatives who will say that they do not sup- 
port a mandatory key recovery system. One of the problems we 
have had in addressing this is that the Administration has not 
been speaking with one voice and there has been an inconsistency 
with regard to their policy. 

I would like to note with great appreciation the position you and 
Chairman McCain have taken on this issue in the PROTECT Act. 
I could not agree more with the domestic-related provisions of your 
legislation which, like the SAFE Act, prevent the Administration 
from putting roadblocks on the information superhighway by pro- 
hibiting the Government from mandating a back door into the com- 
puter systems of private citizens and businesses. 

Additionally, both the PROTECT Act and the SAFE Act ensure 
that all Americans have the right to choose any security system to 
protect their confidential information. 

I would like to encourage you to consider further changes in this 
area with regard to export controls. Certainly the immediate decon- 
trol of 64-bit encryption is helpful to our industry, as are the provi- 
sions allowing the export of strong encryption to, as you have called 
them, legitimate and responsible entities or organizations and their 
strategic partners, and the unlimited export of encryption once the 
new AES standard is developed and implemented. These are 
marked improvements over Chairman McCain’s legislation con- 
tained in S. 909 from the last Congress. 

Our industry needs export relief now and I do not believe that 
it can afford to wait until the AES standard is adopted a few years 
from now. While the immediate decontrol of 64-bit encryption is 
better than the Administration’s current 56-bit level, the industry 
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standard is, as has been noted here today, 128 bits, which con- 
sumers and companies alike are demanding to protect their com- 
munications and transactions. 

So as the PROTECT Act moves through the Senate, I encourage 
you to continue to look for ways to provide further export relief to 
U.S. industry. 

I would also like to note that the SAFE Act does not completely 
eliminate export controls on encryption products. Like the PRO- 
TECT Act, the SAFE Act allows the President to prohibit 
encryption exports to terrorist states and impose embargoes and al- 
lows the Secretary of Commerce to stop the export of specific prod- 
ucts to specific individuals or organizations in specific countries if 
there is substantial evidence that they will be used for military or 
terrorist purposes. 

As NSA Deputy Director Barbara McNamara recently testified 
before the House Commerce Committee, “end uses and end users 
are what the Administration uses to determine whether a product 
should be exported. This is official government policy.” With the 
millions of communications, transmissions, and transactions that 
occur on the Internet every day, American citizens and businesses 
must have the confidence that their private information and com- 
munications are safe and secure. 

I want to again thank you for allowing me to testify today and 
I look forward to working with you and Senator Ashcroft as you 
move forward on this legislation. We hope you can pass a good bill 
out of the Senate. We will try to do the same thing in the House 
and work together to resolve this problem. 

Thank you. 

[The prepared statement of Representative Goodlatte follows:] 

Prepared Statement of Hon. Bob Goodlatte, U.S. Representative 
FROM Virginia 

Mr. Chairman, I would like to thank you for inviting me to testify today on legis- 
lation you have introduced — S. 798, the PROTECT Act of 1999 — to encourage the 
use of strong encryption. 

As you know, I have worked for many years on the encryption issue in the House. 
The legislation I have introduced this Congress, H.R. 850, the Security And Free- 
dom through Encryption (SAFE) Act of 1999, currently has 257 cosponsors, includ- 
ing a majority of both the Republican and Democratic leadership. The SAFE Act has 
passed the House Judiciary Committee by voice vote, and is now pending before the 
committees on International Relations, Commerce, Armed Services, and Intelligence. 
Each of these additional committees is expected to act soon on the legislation, and 
it is my hope that the SAFE Act will be considered by the House in the summer 
or early fall. 

Encryption has many benefits. First, it aids law enforcement by preventing piracy 
and white-collar crime on the Internet. Several studies over the past few years have 
demonstrated that the theft of proprietary business information costs American in- 
dustry hundreds of billions of dollars each year. The use of strong encryption to pro- 
tect financial transactions and information would prevent this theft from occurring. 
With the speed of transactions and communications on the Internet, law enforce- 
ment cannot stop thieves and criminal hackers by waiting to react until after the 
fact. 

Only by allowing the use of strong encryption, not only domestically but inter- 
nationally as well, can we hope to make the Internet a safe and secure environment. 
As the National Research Council’s Committee on National Cryptography Policy 
concluded, “If cryptography can protect the trade secrets and proprietary informa- 
tion of businesses and thereby reduce economic espionage (which it can), it also sup- 
ports in a most important manner the job of law enforcement. If cryptography can 
help protect nationally critical information systems and networks against unauthor- 
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ized penetration (which it can), it also supports the national security of the United 
States.” 

Second, if the Global Information Infrastructure is to reach its true potential, citi- 
zens and companies alike must have the confidence that their communications and 
transactions will be secure. 

Third, with the availability of strong encryption overseas and on the Internet, the 
Administration’s export restrictions only serve to tie the hands of American busi- 
ness. Due in large part to these export controls, foreign companies are winning an 
increasing number of contracts by telling prospective clients that American 
encryption products are weak and inferior, which is robbing our economy of jobs and 
revenue. In fact, one noted study found that failure to address the current export 
restrictions by the year 2000 will cost American industry $60 billion and 200,000 
jobs. Under the current system, America is surrendering our dominance of the glob- 
al marketplace. 

The SAFE Act remedies this situation by allowing the export of generally avail- 
able American-made encryption products after a 15-day, one-time technical review. 
Additionally, the bill allows custom-designed encryption products to be exported, 
after the same review period, if they are commercially available overseas and will 
not be used for military or terrorist purposes. 

The SAFE Act enjoys the support of members, individuals and organizations 
across the entire spectrum of ideological and political beliefs, not only because it is 
a common-sense approach to solving a serious problem, but also because ordinary 
Americans’ privacy and security is being assaulted by this Administration. 

Amazingly enough, the Administration wants to mandate a back door into peo- 
ples’ computer systems in order to access their private communications. In fact, the 
Administration has stated that if people do not “voluntarily” create this back door, 
it may seek legislation forcing them to give the government access to their informa- 
tion, by mandating a “key recovery” system requiring people to give the keys to de- 
code their communications to a government-approved third party. This is the tech- 
nological equivalent of mandating that the government be given a key to every home 
in America. 

Mr. Chairman, I would like to note with great appreciation the position you have 
taken on this issue in the PROTECT Act. I couldn’t agree more with the domestic- 
related provisions of your legislation, which — like the SAFE Act — prevent the Ad- 
ministration from placing roadblocks on the information superhighway by prohib- 
iting the government from mandating a back door into the computer systems of pri- 
vate citizens and businesses. Additionally, both the PROTECT Act and the SAFE 
Act ensure that all Americans have the right to choose any security system to pro- 
tect their confidential information. 

On the issue of export relief, I would also like to commend you for the changes 
you have made in this year’s bill. Certainly the immediate decontrol of 64-bit 
encryption is helpful to our industry, as are the provisions allowing the export of 
stronger encryption to, as you have called them, “legitimate and responsible entities 
or organizations and their strategic partners,” and the unlimited export of 
encryption once the new AES standard is developed and implemented. These are 
marked improvements over the export restrictions contained in S. 909 from the last 
Congress. 

However, I would like to encourage you to consider further changes in this area, 
along the lines of those contained in the SAFE Act. Our industry needs export relief 
now — I do not believe that it can afford to wait until the AES standard is adopted 
a few years from now. And while the immediate decontrol of 64-bit encryption is 
better than the Administration’s current 56-bit level, the industry standard is cur- 
rently 128-bit encryption — which consumers and companies alike are demanding to 
protect their communications and transactions. So as the PROTECT Act moves 
through the Senate, I encourage you to continue to look for ways to provide further 
export relief to U.S. industry. 

I would also like to note that the SAFE Act does not completely eliminate export 
controls on encryption products. Like the PROTECT Act, the SAFE Act allows the 
President to prohibit encryption exports to terrorist states and impose embargoes, 
and allows the Secretary of Commerce to stop the export of specific products to spe- 
cific individuals or organizations in specific countries if there is substantial evidence 
that they will be used for military or terrorist purposes. And as NSA Deputy Direc- 
tor Barbara McNamara recently testified before the House Commerce Committee, 
“end uses and end users are what we use to determine whether a product should 
be exported — this is official government policy.” 

With the millions of communications, transmissions, and transactions that occur 
on the Internet every day, American citizens and businesses must have the con- 
fidence that their private information and communications are safe and secure. 
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Again, thank you for allowing me to testify today, and I look forward to working 
together with you as the PROTECT Act moves through the Senate and the SAFE 
Act moves through the House. 

Senator Burns. Thank you very much, Congressman. We appre- 
ciate your interest and leadership in this issue. 

I am going to call the panel. Any questions for the Congressman? 

Senator Ashcroft. May I just commend the Congressman. I 
have had the opportunity and good fortune to work with him, and 
his understanding of the issues related to encryption is unsur- 
passed in the Congress. I appreciate that, and I think, frankly, the 
American people and the data industry owes you a debt of grati- 
tude. I know that I do, and I thank you for your leadership. 

Mr. Goodlatte. Thank you for your kind words. 

Senator Snowe. Mr. Chairman. 

Senator Burns. The Senator from Maine. 

STATEMENT OF HON. OLYMPIA J. SNOWE, U.S. SENATOR 
FROM MAINE 

Senator Snowe. Thank you, Mr. Chairman. I want to welcome 
my good friend and former colleague from the House here today, 
and commend you for your leadership on this issue and your pres- 
entation before the committee. 

Mr. Goodlatte. Thank you. Senator Snowe. I would like to tell 
you that I will be in your State, in fact in your home town, tomor- 
row and Saturday for my 25th reunion at Bates College. So I ap- 
preciate your kind words. 

Senator Snowe. I wish you good weather and great lobsters. 

Mr. Goodlatte. Thank you. 

Senator Burns. At least they have got a warning up there, right? 

Mr. Goodlatte. That is right. 

Senator Burns. We like these warnings. 

I will call the first panel to the table, and while they are coming 
up. Senator Snowe, do you have a statement that you would like 
to make? 

Senator Snowe. No, Mr. Chairman. I have a statement for the 
record. 

Senator Burns. It will be made part of the record. 

[The prepared statement of Senator Snowe follows:] 

Prepared Statement of Hon. Olympia J. Snowe, U.S. Senator from Maine 

Thank you, Mr. Chairman. Today’s hearing is extremely important because it ad- 
dresses an issue that will only grow in importance as the Global Information Infra- 
structure (GII) continues to develop and evolve: the availability of strong encryption 
technology. 

Without the knowledge that one’s information is private and secure, the full po- 
tential of the Global Information Infrastructure — and the transmission and utiliza- 
tion of information on the Internet in particular — will never be realized. 

On the one hand, if one is certain that their proprietary or personal information 
can only be accessed by those for whom it is intended, one will be at ease putting 
business plans, personal medical records, and other confidential files “on-line”. But 
if security is inadequate for the prevention of unauthorized “browsing” or outright 
“piracy,” one’s willingness to utilize the countless benefits of on-line commerce will 
be severely hampered. 

The United States imposes limits on the export of encrypted products — in part — 
to ensure that law enforcement and intelligence agencies have easier access to the 
information these products contain. Presumably, if the products exported by the 
United States do not allow for encryption beyond a certain level, the threat to na- 
tional security will be lessened. 
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While I believe we would all agree that national security is of the utmost impor- 
tance — and any policy that protects American citizens from “on-line crime” is bene- 
ficial — it is also important that we be realistic in setting these policies. If our poli- 
cies do not reflect the reality of the global marketplace, we will not only fail to ac- 
complish the goals we are pursuing, but we may also risk harming businesses and 
consumers in the United States that we are seeking to protect. 

In addition, high-tech industries in the United States have a great deal at stake 
in the ongoing debate on encryption export restrictions. If our current export policies 
are “behind the times,” domestic producers of computer hardware and software risk 
being at a competitive disadvantage in the global marketplace. At the same time, 
other U.S. companies that rely on the use of these encrypted technologies to manu- 
facture consumer products — such as cellular telephones — could also be adversely im- 
pacted by a poorly conceived export policy. 

Accordingly, today’s hearing will give us a chance to review the need for, and im- 
pact of, S. 798, the PROTECT Act — legislation that would fundamentally alter the 
manner in which encryption export restrictions are established. Ultimately, it is my 
hope that this hearing will assist us in determining whether or not our current ex- 
port restrictions are both practical and effective, and if changes such as those con- 
tained in S. 798 would be a step forward or a step back for the United States. 

I would like to thank our witnesses for being with us this morning, and look for- 
ward to the discussion this hearing will generate on a topic that is so fundamental 
to the development of the world’s information infrastructure. Thank you, Mr. Chair- 
man. 

Senator Burns. We have William Reinsch, who is the Under Sec- 
retary of Export Administration, Department of Commerce; James 
Robinson, Assistant Attorney General from the Criminal Division; 
and we have Barbara McNamara, Deputy Director of the National 
Security Agency. 

We appreciate all of you taking time in your busy days and your 
responsibilities and duties to come and visit with us today about 
this very important subject. We will just go in order, I guess. So 
Secretary Reinsch, we look forward to hearing from you and some 
of yours. 

I might add that your complete statement will be made part of 
the record. If you want to consolidate that and offer your views, 
that is perfectly OK, too. We appreciate you coming today. 

Mr. Secretary, good to see you again. 

STATEMENT OF HON. WILLIAM A. REINSCH, UNDER SEC- 
RETARY OF EXPORT ADMINISTRATION, U.S. DEPARTMENT 

OF COMMERCE 

Mr. Reinsch. Thank you, Mr. Chairman. It is good to be back. 
I do have a shorter statement. We have a lot to say about this bill, 
however, so it is not quite as short as it could be, I suppose. 

I want to thank you for the opportunity to be back to discuss this 
difficult subject. I think we made a lot of progress since I was here 
the last time, and that is one of the subjects I want to discuss with 
you. 

It should be obvious from the testimony today that encryption is 
a hotly debated issue. I want to make clear what the Administra- 
tion’s policy is. We support a balanced approach which considers 
privacy and commerce, as well as protecting important law enforce- 
ment and national security equities. We have been consulting close- 
ly with industry and its customers to develop a policy that provides 
that balance in a way that also reflects the evolving realities of the 
marketplace. 

There is no question about the evolving role of encryption in the 
marketplace and in e-commerce, and my full statement has a lot 
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to say about that in terms of details, I will not pass that on to this 
committee at this time because you are already well familiar with 
it. 

But I do want to say that developing a balanced policy is com- 
plicated because we do not want to hinder encryption’s legitimate 
use, but at the same time we do want to protect national security 
and law enforcement. Now, over the last several years as we have 
been studying this problem we have learned that there are many 
ways to assist lawful access beyond key escrow or key recovery and 
that there is no one-size-fits-all solution. We believe our policy re- 
flects that, and I would like to describe it for you. 

We published a regulation in September 1998, which allows the 
export of unlimited strength encryption to banks and financial in- 
stitutions. This allows U.S. companies new opportunities to sell 
encryption products to a key market for encryption products. 

Last September, the Vice President also unveiled an update to 
our policy, and we published regulations implementing it last De- 
cember. It permits the free export of unlimited strength encryption 
products to several key sectors of the market. In addition to banks 
and financial institutions, we now allow health facilities and online 
merchants to purchase U.S. encryption to secure their sensitive fi- 
nancial, medical, and online transactions in digital form. U.S. com- 
panies can now export 128-bit or greater encryption products, in- 
cluding encryption technology, to subsidiaries located worldwide to 
protect proprietary information and to develop new products. 

Furthermore, this update allows the export of unlimited strength 
recovery-capable or recoverable products. These products do not re- 
quire a third party to hold any key, are not key escrow, but allow 
for law enforcement access under proper court authority. They are 
readily available in the marketplace and include general purpose 
routers, firewalls, and virtual private networks. 

We have also made progress with other countries, Mr. Chairman, 
through the hard work of Ambassador David Aaron, the President’s 
Special Envoy on Cryptography. We agreed in the Wassenaar ar- 
rangement last December on several changes relating to encryption 
controls. We removed multilateral controls on all encryption prod- 
ucts at or below 56 bits and certain consumer items regardless of 
key length. 

We also agreed to amend the General Software Note on this 
issue. Drafted in 1991 when banks, governments, and militaries 
were the primary users of encryption, the General Software Note 
did not give countries the legal authority to require a license for 
the export of mass market encryption software. The note was cre- 
ated to release general purpose software used on PCs, but it inad- 
vertently also released encryption. 

We believed it was essential to modernize the note and close the 
loophole. Under a new Cryptography Note adopted in December, a 
64-bit key length threshold has been set for mass market 
encryption software and hardware. This enables governments to re- 
view export mass market products stronger than 64 bits. 

I want to be clear. This does not mean that encryption products 
of more than 64 bits cannot be exported. Our own policy permits 
that, as I just made clear, as does the policy of most other 
Wassenaar members. It does mean the products must be reviewed 
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by governments consistent with their national policies before ex- 
port. 

Now, let me comment in conclusion, Mr. Chairman, on the PRO- 
TECT Act. With respect to S. 798, the Administration opposes this 
legislation for a number of reasons. Overall, we believe it does not 
promote the balance that we worked so hard to achieve over the 
last several years and which I have just defined. 

Let me discuss several, but not all, of the more problematic sec- 
tions. Under section 505, the removal of export controls on publicly 
or generally available encryption is left to an advisory board. We 
believe such a board would be unworkable. The broad definitions 
used in the bill would give the board wide latitude in making its 
findings on what is available. This could place the Secretary in the 
position of having to routinely object to the removal of export con- 
trols when important national security and law enforcement inter- 
ests are at stake. 

The bill also makes this decision subject to judicial review. The 
Administration does not think it is wise public policy for the courts 
to adjudicate executive branch decisions on national security mat- 
ters like the ones that would be rolled into these kinds of decisions. 

Section 501 of the bill removes the Department of Justice from 
the encryption export license consultation process. Since law en- 
forcement interests are an important consideration in regard to 
encryption, we cannot support that provision. We do support the 
provisions that require a technical review for eligibility for export 
under a license exception. That is consistent with our current regu- 
lations. What we cannot support, however, is the portion of section 
504 that would provide automatic eligibility after 15 days if there 
has been no decision from the government. 

That same section also proposes control parameters and export 
liberalizations beyond what we can entertain and which would be 
contrary to our international export control obligations. For exam- 
ple, Wassenaar agreed to decontrol products up to 56 bits. This bill 
would decontrol products using a key length of 64 bits or less. 

Section 504 also expands the products, end users, and countries 
eligible beyond what we are willing to consider at this point. 

Section 102 is also troubling, as it would permit a U.S. person 
located anywhere in the world to develop, manufacture, sell or use 
any type of encryption. This would in effect prevent the govern- 
ment from requiring a license for U.S. persons to develop and man- 
ufacture encryption abroad. As a result, U.S. companies would like- 
ly move all development and manufacture of encryption out of the 
United States in order to take advantage of this loophole. This is 
not in our country’s economic or national security interests. 

Section 103 contains a provision that would prohibit the U.S. 
Government from conditioning any approval on the fact that a 
product is recoverable. A fundamental feature of our encryption 
policy is that we provide incentives for companies to develop prod- 
ucts that provide strong security and also meet the needs of na- 
tional security and law enforcement. The bill would eliminate this 
laudable feature of our policy that industry had asked us to include 
in last year’s update. This provision is also inconsistent with sec- 
tion 504, which allows license exception treatment for recoverable 
products. 
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Now, we have also some problems, Mr. Chairman, with other 
non-export control provisions of the bill. Section 202 requires that 
encryption products used by the Government must interoperate 
with other commercial encryption products. The extent to which 
interoperability is required is unclear in the bill as drafted, but we 
believe that the practical result of the bill would be that the Gov- 
ernment could not use encryption because no single encryption 
product interoperates with all other products. 

It also appears that this provision could prohibit the use of 
encryption developed by the Government for its own internal use 
in closed systems that are purposefully designed not to interoperate 
with other systems, such as those used by the Department of De- 
fense or the National Security Agency. 

I want to make clear we do not seek encryption export control 
legislation, nor do we believe that legislation is needed. We believe 
the current regulatory structure is sufficient for balanced oversight. 
As the Senators here today know, public debate on this issue has 
often been lively and on some occasions acrimonious, although cer- 
tainly not in this room. We hope to find a middle ground that can 
meet all of our needs. 

Our dialog with industry has gone a long way toward bridging 
that gap and finding that middle ground. We will continue this pol- 
icy of cooperative exchange, which is clearly the best way to pursue 
our policy objectives of balancing public safety, national security, 
and the competitive interests of our companies. 

Thank you, Mr. Chairman. 

[The prepared statement of Mr. Reinsch follows:] 

Prepared Statement of William A. Reinsch, Under Secretary for 
Export Administration, U.S. Department of Commerce 

Thank you, Mr. Chairman, for the opportunity to testify on the direction of the 
Administration’s encryption policy. We have made a great deal of progress since my 
last testimony before this Committee on this subject. 

Even so, encryption remains a hotly debated issue. The Administration continues 
to support a balanced approach which considers privacy and commerce as well as 
protecting important law enforcement and national security equities. We have been 
consulting closely with industry and its customers to develop a policy that provides 
that balance in a way that also reflects the evolving realities of the market place. 

One of the many uses of the Internet which will have a significant affect on our 
everyday lives is electronic commerce. The Internet and other digital media are be- 
coming increasingly important to the conduct of international business. There were 
43.2 million Internet hosts worldwide last January compared to only 5.8 million in 
January 1995. According to a recent study, the value of e-commerce transactions in 
1996 was $12 million. The projected value of e-commerce in 2000 is $2.16 billion. 
To cite one example, travel booked on Microsoft’s Website has doubled every year 
since 1997, going from 500,000 to an estimated 2.2 million this year. Many service 
industries which traditionally required face-to-face interaction such as banks, finan- 
cial institutions and retail merchants are now providing cyber service. Customers 
can now sit at their home computers and access their banking and investment ac- 
counts or buy a winter jacket with a few strokes of their keyboard. 

Furthermore, most businesses maintain their records and other proprietary infor- 
mation digitally. They now conduct many of their day-to-day communications and 
business transactions via the Internet and E-mail. An inevitable byproduct of this 
growth of electronic commerce is the need for strong encryption to provide the nec- 
essary secure infrastructure for digital communications, transactions and networks. 
The disturbing increase in computer crime and electronic espionage has made peo- 
ple and businesses wary of posting their private and company proprietary informa- 
tion on electronic networks if they believe the infrastructure may not be secure. A 
robust secure infrastructure can help allay these fears, and allow electronic com- 
merce to continue its explosive growth. 
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Developing an encryption policy has been complicated because we do not want to 
hinder its legitimate use — particularly for electronic commerce; yet at the same time 
we want to protect our vital national security, foreign policy and law enforcement 
interests. We have concluded that the best way to accomplish this is to continue a 
balanced approach: to promote the development of strong encryption products that 
would allow lawful government access to plain text under carefully defined cir- 
cumstances; to promote the legitimate uses of strong encryption to protect confiden- 
tiality; and continue looking for additional ways to protect important law enforce- 
ment and national security interests. 

During the past three years, we have learned that there are many ways to assist 
lawful access. There is no one-size-fits-all solution. The plans for recovery encryption 
products we received from more than 60 companies showed that a number of dif- 
ferent technical approaches to recovery exist. In licensing exports of encryption 
products under individual licenses, we also learned that, while some products may 
not meet the strict technical criteria of our regulations, they are nevertheless con- 
sistent with our policy goals. 

Additionally, we decided that the use of strong non-recovery encryption within 
certain trusted industry sectors is an important component of our policy to protect 
private consumer information and allow our U.S. high-tech industry to maintain its 
lead in the information security market. Taking into account all that we have 
learned and reviewing international market trends and realities, we made several 
changes in 1998 to our encryption policy that I will now summarize. 

In September 1998, we published a regulation allowing the export, under a license 
exception, of unlimited strength encryption to banks and financial institutions lo- 
cated in 46 countries which allows U.S. companies new opportunities to sell 
encryption products to the world’s leading economy. This policy recognizes the need 
to secure our financial networks, and the history of cooperation which the banking 
and financial communities have with government authorities when information is 
required to combat financial and other crimes. 

More importantly, on September 16th, Vice President Gore unveiled an update to 
our encryption policy. This Policy Update was the result of a dialogue with U.S. in- 
dustry, law enforcement, and privacy groups on how our policy might be improved 
to find technical solutions, in addition to key recovery, that can assist law enforce- 
ment in its efforts to combat crime. At the same time, we wanted to find ways to 
assure continued U.S. technology leadership, promote secure electronic commerce, 
and protect privacy concerns. We believed then and now that the best way to make 
progress on this issue is through a constructive, cooperative dialogue, rather than 
by legislative solutions. Through dialogue lasting more than a year, there has been 
increased understanding among the parties and we have made progress. 

On December 31, we published regulations implementing the Vice President’s pol- 
icy announcement. These regulations will not end the debate over encryption con- 
trols, but we believe the regulation addresses some private sector concerns by open- 
ing large markets and further streamlining exports. 

The Update permits the export of 128-bit encryption products and higher (with 
or without key recovery) to several important industry sectors. Now, banks, finan- 
cial institutions, health facilities, and on-line merchants can secure their sensitive 
financial, medical, and on-line transactions in digital form. This update also allows 
U.S. companies to export 128-bit or greater encryption products, including tech- 
nology to subsidiaries around the world, to protect its proprietary information and 
to develop new products. Further, this update allows the export of 128-bit or greater 
“recovery capable” or “recoverable” encryption products under an encryption licens- 
ing arrangement. Such products include those that are readily available in the mar- 
ketplace such as general purpose routers, firewalls, and virtual private networks. 
These recoverable products are usually managed by a network or corporate security 
administrator without any involvement by a third party. Since the Update an- 
nouncement, Industry has been taking advantage of this new liberalization and the 
streamlined process awarded to such products. 

Many of tbe updates permit the export of encryption to these end-users under a 
license exception. That is, after the product receives a technical review, it can be 
exported by manufacturers, resellers and distributors without the need for a license 
or other additional review. These license exceptions currently apply to a list of coun- 
tries or a set of end users. We also have a general policy of approval for exports 
to those sectors through encryption licensing arrangements (ELA), a kind of bulk 
license, to allow unlimited shipments of strong encryption to the sectors worldwide. 

We also further streamlined exports of key recovery products by no longer requir- 
ing a review of foreign key recovery agents and no longer requiring companies to 
submit business plans. 
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We recognize that the development of our policy is an evolutionary process, and 
we intend to continue our dialogue with industry. Our policy will continue to adapt 
to technology and market changes. We will review our policy again this year with 
a view toward making further changes. An important component of our review is 
input from industry, which we are receiving through our continuing dialogue. 

This past year, we also made progress on developing a common international ap- 
proach to encryption controls through the Wassenaar Arrangement. Established in 
1996 as the successor to COCOM, it is a multilateral export control arrangement 
among 33 countries whose purpose is to prevent destabilizing accumulations of arms 
and industrial equipment with military uses in countries or regions of concern. 
Wassenaar provides the basis for many of our export controls. 

In December, through the hard work of Ambassador David Aaron, the President’s 
special envoy on encryption, the Wassenaar Arrangement members agreed on sev- 
eral changes relating to encryption controls. These changes go a long way toward 
increasing international security and public safety by providing countries with a 
stronger regulatory framework for managing the spread of robust encryption. Spe- 
cific changes to multilateral encryption controls include removing multilateral con- 
trols on all encryption products at or below 56 bit and certain consumer items re- 
gardless of key length, such as entertainment TV systems, DVD products, and on 
cordless telephone systems designed for home or office use. 

Most importantly, the Wassenaar members agreed to remove encryption software 
from Wassenaar’s General Software Note and replace it with a new cryptography 
note. Drafted in 1991, when banks, government and militaries were the primary 
users of encryption, the General Software Note allowed countries to export mass 
market encryption software without restriction. The GSN was created to release 
general purpose software used on personal computers, but it inadvertently also per- 
mitted countries to release encryption. It was essential to modernize the GSN and 
close the loophole that permitted the uncontrolled export of encryption with unlim- 
ited key len^h. Under the new cryptography note, mass market hardware has been 
added and a 64-bit key length or helow has been set as an appropriate threshold. 
This will lead governments to review the dissemination of 64-bit and above 
encryption. 

I want to be clear that this does not mean encryption products of more than 64 
bits cannot be exported. Our own policy permits that, as does the policy of most 
other Wassenaar members. It does mean, however, that such exports now can be 
reviewed by governments consistent with their national export control procedures. 

Export control policies without a multilateral approach have little chance of suc- 
cess. Agreement among the Wassenaar members on the treatment of mass market 
encryption products is a strong indication that other countries share our public safe- 
ty and national security concerns. Contrary to what many people thought two years 
ago, we have found that most major encryption producing countries are interested 
in developing a common approach to encryption controls. 

THE PROTECT ACT 

With respect to S. 789, the Administration opposes this legislation for a number 
of reasons. Overall the bill does not promote the balance that this Administration 
has worked so hard to achieve over the past several years. Let me now discuss some 
of the more problematic sections. 

Under section 505, the removal of export controls on publicly or generally avail- 
able encryption is in effect left to an advisory board composed of private sector and 
government representatives, with the concurrences of the Secretary. We believe 
such a board would be unworkable. Although availability is one of the factors we 
use to decide whether an encryption product may be exported, it is not the only fac- 
tor and should not be elevated above the others. We need to he able to take all fac- 
tors, including national security and public safety, into account when making export 
control decisions. Disallowing or downgrading important considerations will only 
serve to weaken our export control system. The broad definitions used in the bill 
would give the Board wide latitude in making its findings on what is available. This 
could place the Secretary in the position of having to routinely object to the removal 
of export controls when important national security and law enforcement interests 
are at stake. The bill makes this decision subject to judicial review. The Administra- 
tion does not think it is wise public policy for the courts to adjudicate Executive 
Branch decisions on these matters. 

Section 501 removes the Department of Justice from the encryption export license 
consultation process. Since law enforcement interests are an important consider- 
ation in regard to encryption, we cannot support this provision. 
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We support the provisions in the bill that require a technical review for eligibility 
to export encryption under a license exception. In fact, this is consistent with cur- 
rent regulations. What we cannot support, however, is the portion of section 504 
that would provide automatic eligibility after 15 days if the exporter has not re- 
ceived a decision from the government. In all cases, a very careful technical review 
is completed in order to determine that a product is technically eligible for a par- 
ticular license exception. Although we try to perform these reviews as quickly as 
possible, a 15-day automatic approval will severely limit our ability to do a careful 
review. 

Section 504 also proposes control parameters and export liberalizations beyond 
what the Administration can entertain and which would be contrary to our inter- 
national export control obligations. For example, Wassenaar agreed to decontrol 
encryption products up to 56-bits whereas this bill would decontrol encryption prod- 
ucts using a key length at 64-bits or less. Section 504 also expands the set of prod- 
ucts, end users, and countries eligible to receive encryption under a license excep- 
tion beyond what we believe is prudent. 

Another troubling part of this bill is section 102, which would permit a U.S. per- 
son located anywhere in the world to develop, manufacture, sell or use any type of 
encryption. If this provision were construed to permit U.S. citizens to develop, man- 
ufacture and sell encryption products overseas, even with the use of non-public con- 
trolled technology that they had acquired in the United States, it would, in effect, 
prevent the government from requiring a license for U.S. persons to develop and 
manufacture encryption abroad. As a result, U.S. companies would likely move all 
development and manufacture of encryption out of the United States in order to 
take advantage of this loophole. This is not in our country’s economic or national 
security interest. 

Section 103 contains a provision that would prohibit the U.S. Government from 
conditioning any approval on the fact that a product is recoverable. A fundamental 
feature of our encryption policy is that we provide incentives for companies to de- 
velop products that provide strong security and also meet the needs of national se- 
curity and law enforcement. The bill would eliminate this laudable feature of our 
policy that industry wanted us to include in last year’s update. In addition, this pro- 
vision of the bill is inconsistent with section 504 which allows license exception 
treatment for recoverable products. 

Section 506 would eliminate any export controls on products using the forth- 
coming Advanced Encryption Standard (AES). We oppose the removal of export con- 
trols on encryption products simply because they implement a government standard. 
Products incorporating the AES should be exportable to the same extent as any 
other product incorporating encryption of similar strength. Under our current policy, 
AES-based products could be exported to banks, large corporations, on-line mer- 
chants without restriction and to many other safe endusers depending on the nature 
of the product. We do not think it is wise to link development of the AES to export 
controls. Such a linkage might bring undue pressure on NIST to complete the AES 
process faster than planned, and may therefore not allow prudent study of the secu- 
rity features of the candidate algorithms before selection. 

With respect to the provisions of the bill that do not relate to export controls, we 
have a number of questions and concerns. 

One such provision in Section 202 requires that encryption products used by the 
Government must interoperate with other commercial encryption products. The ex- 
tent to which interoperability is required is unclear in the bill, but we believe the 
practical result of this requirement is that the Government could not use encryption 
because no single encryption product interoperates with all other products. It also 
appears that this provision could prohibit the use of encryption developed by the 
government for its own internal use in “closed” systems that are purposefully de- 
signed not to interoperate with other systems. 

Section 202 also appears to prevent mandatory use of recoverable encryption 
when communicating with U.S. Federal, state and local governments. This would 
appear to preclude an agency from requiring key recovery or recoverable products 
for business purposes. We believe the effect of this provision may be much broader 
than simply preventing government from using recoverable encryption when dealing 
with the public. The practical effect would be that Government sites would have to 
be capable of supporting secure communications using all encryption methodologies 
on the market. This is absurd. 

We are concerned that section 302 of the bill may preclude NIST’s work with vol- 
untary standards organizations because it prohibits the Secretary of Commerce from 
carrying out any policy that establishes an encryption standard for use by busi- 
nesses or other entities other than for computer systems operated by the United 
States Government. The Secretary of Commerce is prohibited from establishing 
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standards for business; however, when invited by standards organizations to do so, 
NIST does, as a matter of policy, work together with those organizations. Coopera- 
tion between NIST and standards organizations is important for both NIST and in- 
dustry, and it is consistent with government policy to use voluntary standards and 
to purchase commercial off-the-shelf products. If the government cannot have input 
to the standards process, we may end up with less secure products available for gov- 
ernment agencies. We want to encourage, to the extent possible, the development 
of voluntary standards that meet the needs of the government. This reduces costs 
for both government and industry. 

In regard to section 401 dealing with the “Information Technology Laboratory,” 
we have two concerns. First, we do not think it is appropriate for NIST to undertake 
research and development of new technologies to facilitate lawful access to commu- 
nications and electronic information. This activity is more appropriately done by the 
FBI. Second, we are concerned that the bill will provide NIST with new tasks but 
no new funding to carry out this work. We have similar concerns with section 402. 
The advisory board, whose correct statutory name is “Computer System Security 
and Privacy Advisory Board,” is made up of 13 volunteers. Again, any additional 
tasks assigned to this board would require necessary funding. 

The Administration does not seek encryption export control legislation, nor do we 
believe such legislation is needed. The current regulatory structure provides for bal- 
anced oversight of export controls and the flexibility needed to adjust to our eco- 
nomic, foreign policy and national security interests to advances in technology. This 
is the best approach to an encryption policy that promotes secure electronic com- 
merce, maintains U.S. lead in information technology, protects privacy, and protects 
public safety and national security interests. 

As you know, public debate over encryption policy has been lively and often acri- 
monious. Some of those on both sides of the debate are not interested in searching 
for a middle ground that can meet all of our needs. Our dialogue with industry has 
g:one a long way toward bridpng that gap and finding common ground. We will con- 
tinue this policy of cooperative exchange, which is clearly the best way to pursue 
our policy objectives of balancing public safety, national security, and the competi- 
tive interests of U.S. companies. 

Senator Burns. Thank you, Mr. Secretary. I want to also thank 
you for the dialog we have had. We are not new to this debate. We 
have been going through it. But we have learned, I think, from 
each other. It is enlightening to know how the evolution of the 
mind set changes as technology moves forward. 

We are pleased to welcome Jim Robinson, Assistant Attorney 
General for the Criminal Division. Thank you for coming this 
morning. 

STATEMENT OF HON. JAMES K. ROBINSON, ASSISTANT ATTOR- 
NEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF 

JUSTICE 

Mr. Robinson. Mr. Chairman, members of the committee: I ap- 
preciate the opportunity to appear to — 

Senator Burns. Do you want to pull the microphone a little clos- 
er to you. 

Mr. Robinson. I will. Senator. Thank you. 

I appreciate the opportunity to present the views of the Justice 
Department on the issue of encryption and export controls. As you 
would expect, the Justice Department is particularly interested in 
the important public safety interests implicated in the encryption 
debate. I would like to emphasize some of the key points outlined 
in my written statement submitted to the committee and to place 
those thoughts in a more personal context. 

When I took office as the Assistant Attorney General for the 
Criminal Division about a year ago this month, I quickly learned 
how important the encryption debate is to law enforcement. I 
served as the U.S. Attorney for the eastern district of Michigan 
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from 1977 to 1980. From a technological point of view, the world 
was a very different place in those days, both for our society in gen- 
eral and certainly for law enforcement. 

Technological advances have made important new tools available 
to law enforcement for the successful investigation and prosecution 
of criminal activity. These tools have enhanced law enforcement’s 
ability to protect public safety and to achieve just results. The use 
of DNA evidence is a prime example. DNA evidence can not only 
provide strong evidence of guilt, it can be powerful evidence of in- 
nocence. 

Technology has also enhanced law enforcement’s capacity for 
early detection and prevention of criminal acts. But technological 
progress has also had its costs. The potential dark side of this 
progress is that well-financed criminal elements are also using new 
technology to commit crimes, avoid detection, and to cover their 
tracks. Traditional highly-effective law enforcement techniques are 
threatened by these developments. 

The issue of encryption starkly presents both aspects of techno- 
logical progress. Encryption supports public safety and law enforce- 
ment by protecting sensitive and personal information from unau- 
thorized access. Encryption is therefore, as many have said here 
this morning, an absolutely essential tool for preventing crime in 
the information age. 

The Department is, however, deeply concerned about the other 
side of encryption, the threat to public safety posed by the wide- 
spread use of nonrecoverable encryption by criminals. Thus the 
Justice Department supports the spread of strong recoverable 
encryption both to protect the privacy and safety of American citi- 
zens and the security of our information infrastructure. 

Assessing the benefits versus the risks of encryption for law en- 
forcement in today’s world is complex enough, but the issue is 
made even more complex and problematic by the expanding use of 
global information networks like the Internet. Technological ad- 
vances in electronic commerce and communication, as we all know, 
have led to the explosive growth of the Internet. This development 
has made the use of robust encryption essential for protecting the 
privacy and security of communications and stored electronic data. 

This new technology, however, has also made it possible for 
international criminals and terrorists to target America in an un- 
precedented number of ways, such as fraud over the Internet, com- 
puter hacking, economic and governmental espionage, and 
cyberterrorism. We are also seeing a dramatic growth of inter- 
national crime with grave potential consequences for the Nation. 

Law enforcement must be concerned not only with the use of 
encryption by domestic criminals, but increasingly we must be con- 
cerned by the ability of foreign criminals and terrorists to target 
America and use robust encryption to hide their criminal activity. 
Law enforcement agencies in the United States and abroad have 
already begun to see cases where encryption has been used in an 
attempt to conceal criminal activity. The number and complexity of 
these cases will certainly increase as increasingly powerful 
encryption proliferates. 

As this committee considers the issue of encryption, we trust that 
it will consider also, as we know it will, the very real cost to public 
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safety that the use of nonrecoverable encryption by terrorists, drug 
dealers, and other criminals will pose. Faced with the use of such 
encryption, agents frequently and increasingly will be unable to 
make effective use of search warrants, wiretap orders, and other 
legal processes authorized by Congress and sanctioned by the 
courts. Law enforcement will find it increasingly difficult to obtain 
important evidence of criminal activities. Critical evidence to sup- 
port successful prosecution may simply be unavailable. In short, 
this will mean that fewer crimes will be prevented and fewer crimi- 
nals will be caught, prosecuted, and taken off the streets. 

Despite these challenges to effective law enforcement, we cannot 
and must not ignore the significant benefits of encryption. That is 
why the Department supports a carefully balanced approach to ex- 
port controls, an approach that seeks to encourage the favorable 
uses of encryption while minimizing its negative effects on public 
safety and national security. The Department believes that the 
rapid elimination of export controls as proposed in the PROTECT 
Act would upset this delicate balance. It is likely that the passage 
of this act would cause in the near term the easy acquisition of ro- 
bust nonrecoverable encryption products, not only by people we 
want to have them, but by terrorist organizations and international 
criminals on a global scale. This development will substantially 
frustrate the ability of law enforcement to combat international 
criminal activity. 

Instead of encryption decontrol, we believe that a continuing dia- 
logue offers the best hope of developing workable solutions to the 
encryption dilemma. Law enforcement has been engaging industry 
leaders in a continuing and cooperative dialogue in an attempt to 
work toward voluntary solutions that accommodate the needs of 
privacy, electronic commerce, national security, and public safety. 
We will continue to work hard to make sure that these productive 
discussions will continue to bear fruit. 

We are realists. We understand that no matter what solutions in- 
dustry develops and no matter what policy is adopted by the Ad- 
ministration and by Congress, some criminals will obtain and use 
robust nonrecoverable encryption that will deny law enforcement 
the ability to obtain useable evidence. We cannot afford to stand 
still while technology passes us by. Therefore, in addition to an in- 
tensive dialogue with industry and continuing to work with the 
international community on this important topic, law enforcement 
must continue developing its own technical expertise to deal effec- 
tively with encrypted evidence of criminal activity. 

The Department has begun initiatives such as the funding of a 
centralized technical resource within the FBI which will support 
Federal, State and local law enforcement personnel in developing 
a broad range of expertise, technologies, and tools to respond di- 
rectly to the threat to public safety posed by the use of encryption 
by criminals and terrorists. 

In conclusion, we believe that an approach that balances the 
need for secure private communications and data storage with the 
equally important need to protect the safety of the public against 
threats from terrorists and criminals is the best policy. 
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We appreciate your willingness to consider these important pub- 
lic safety concerns and we look forward to working with you on this 
important issue. Thank you very much. 

[The prepared statement of Mr. Robinson follows:] 

Prepared Statement of James K. Robinson, Assistant Attorney General, 
Criminal Division, U.S. Department of Justice 

Mr. Chairman, thank you for the opportunity to testify about the Department of 
Justice’s views on encryption, and particularly the proposed Promote Reliable On- 
Line Transactions to Encourage Commerce and Trade (PROTECT) Act, introduced 
by you as S. 798. As you are aware, encryption, and specifically export controls on 
encryption, presents complex and difficult issues that we are attempting to address 
with our colleagues throughout the Administration. In my testimony, I will first out- 
line the basic perspective and recent initiatives of the Department of Justice on 
encryption issues, and will then discuss some specific concerns with the PROTECT 
Act. 


ENCRYPTION, THE LAW ENFORCEMENT PERSPECTIVE 

The Department of Justice supports the spread of strong, recoverable encryption. 
Law enforcement’s responsibilities and concerns include protecting privacy and com- 
merce over our nation’s communications networks. For example, we prosecute under 
existing laws those who violate the privacy of others by illegal eavesdropping, com- 
puter hacking or theft of confidential information. Over the last few years, the De- 
partment has continually pressed for laws protecting confidential information and 
the privacy of citizens. Furthermore, we help protect commerce by enforcing the 
laws, including those that protect intellectual property rights, and that combat com- 
puter and communications fraud. (In particular, we help to protect the confiden- 
tiality of business data through enforcement of the recently enacted Economic Espio- 
nage Act.) Our support for robust encryption is a natural outgrowth of our commit- 
ment to protecting privacy for personal and commercial interests. As the head of the 
Criminal Division of the Department of Justice, I hold these values dear. 

But the Department of Justice protects more than just privacy. We also protect 
public safety and national security against the threats posed by terrorists, organized 
crime, foreign intelligence agents, and others. Moreover, we have the responsibility 
for preventing, investigating, and prosecuting serious criminal and terrorist acts 
when they are directed against the United States. We are gravely concerned that 
the proliferation and use of non-recoverable encryption by criminal elements would 
seriously undermine these duties to protect the American people. Therefore, we 
favor the spread of strong encryption products that permit timely and legal law en- 
forcement access to plaintext. 

The most easily understood example is electronic surveillance. Court-authorized 
wiretaps have proven to be one of the most successful law enforcement tools in pre- 
venting and prosecuting serious crimes, including drug trafficking and terrorism. 
We have used legal wiretaps to bring down entire narcotics trafficking organiza- 
tions, to rescue young children kidnaped and held hostage, and to assist in a variety 
of matters affecting our public safety and national security. In addition, as society 
becomes more proficient in its use of computers, evidence of crimes is increasingly 
found in stored computer data, which can be searched and seized pursuant to court- 
authorized warrants. But if non-recoverable encryption proliferates, these critical 
law enforcement tools would be nullified. Thus, for example, even if the government 
satisfies the rigorous legal and procedural requirements for obtaining a wiretap 
order, the wiretap would be worthless if the intercepted communications of the tar- 
geted criminals amount to an unintelligible jumble of noises or symbols. Or we 
might legally seize the computer of a terrorist and be unable to read the data identi- 
fying his or her targets, plans and co-conspirators. The potential harm to public 
safety, law enforcement, and to the nation’s domestic security could be devastating. 

I want to emphasize that this concern is not theoretical, nor is it exaggerated. Al- 
though use of encryption is far from universal, we have already begun to encounter 
its harmful effects. For example, in an investigation of a multinational child pornog- 
raphy ring, investigators discovered sophisticated encryption used to conceal thou- 
sands of images of child pornography that were exchanged among members. Simi- 
larly, in several major computer hacker cases, the subjects have encrypted computer 
files, thereby concealing evidence of serious crimes. In one such case, the govern- 
ment was unable to determine the full scope of the hacker’s activity because of the 
use of encryption. Finally, criminal use of encryption is becoming increasingly inter- 
national — the United Kingdom recently reported that in 1996 it seized encrypted 
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files from a Northern Irish terrorist group concerning terrorist targets such as police 
officers and politicians. In that case, law enforcement was ahle to read the data, hut 
only after considerable effort. 

The lessons learned from these investigations are clear: criminals are beginning 
to learn that encryption is a powerful tool for keeping their crimes from coming to 
light. Moreover, as encryption proliferates and becomes an ordinary component of 
mass market items, and as the strength of encryption products increases, the threat 
to public safety will increase proportionately. 

Given both the benefits presented and risks posed by encryption, the Department 
believes that encouraging the use of recoverable encryption products — which protect 
business and personal data as well as public safety — is an important part of the Ad- 
ministration’s balanced encryption policy. Recoverable products also fulfill business 
needs. Information technology companies have told us that their customers recog- 
nize the need to ensure recoverability of their data when using strong encryption; 
otherwise, they risk losing access to their data forever. For example, a company 
might find that one of its employees lost his encryption key, thus accidentally de- 
priving the business of important and time-sensitive business data. We should point 
out that loss of an encryption key is not theoretical. One company told us that em- 
ployees commonly lose or forget their passwords, which must then be restored by 
system administrators. The same capability must exist for encryption systems. Simi- 
larly, a business may find that a disgruntled employee has encrypted confidential 
information and then absconded with the key. In these cases, a plaintext recovery 
system promotes important private sector interests. Indeed, as the Government im- 
plements encryption in our own information technology systems, it also has a busi- 
ness need for plaintext recovery to assure that data and information that we are 
statutorily required to maintain are in fact available at all times. For these reasons, 
as well as to protect public safety, the Department has been affirmatively encour- 
aging the voluntary development of “plaintext” recovery products, recognizing that 
only their ubiquitous use will provide both protection for data and protection of pub- 
lic safety. We also want to underscore that in most recoverable systems, businesses 
will manage their own keys. 

Because we remain concerned with the impact of encryption on the ability of law 
enforcement at all levels of government to protect the public safety, the Department 
and the FBI are engaged in continuing discussions with industry in a number of 
different fora. These ongoing, productive discussions seek to find creative solutions, 
in addition to key recovery, to the dual needs for strong encryption to protect pri- 
vacy and plaintext recovery to protect public safety and business interests. While 
we still have work to do, these dialogues have been useful because we have discov- 
ered areas of agreement and consensus, and have found promising areas for seeking 
compromise solutions to these difficult issues. While we do not think that there is 
one magic technology or solution to all the needs of industry, private citizens, and 
law enforcement, we believe that by working with those in industry who create and 
market encryption products, we can benefit from the accumulated expertise of in- 
dustry to gain a better understanding of technology trends and develop advanced 
tools that balance privacy and security. 

Furthermore, we believe that a constructive dialogue on these issues is the best 
way to make progress, rather than export control legislation. Although export con- 
trols on encryption products have been in place for years and exist primarily to pro- 
tect national security and foreign policy interests, they are in no sense inflexible, 
and have been updated in recent years in a continuing effort to balance the needs 
of privacy, electronic commerce, public safety, and national security. Indeed, largely 
as a result of the dialogue the Administration has had with industry, significant 
progress has been made on export controls. Recent updates were announced by Vice 
President Gore on September 16, 1998, and implemented in an interim rule, which 
was issued on December 31, 1998. The Department of Justice supports these up- 
dates to export controls, which permit the export of products that have a bit len^h 
of 56-bits or less, and also permit the easy export of unlimited-strength encryption 
to certain industry sectors, including medical facilities and banks, financial institu- 
tions, and insurance companies in most jurisdictions. These changes allow these sec- 
tors, which possess large amounts of highly sensitive and personal information, to 
use products that will protect the privacy of their clients. The Administration also 
expanded its policy to permit recoverable exports, such as encryption systems man- 
aged by network administrators, to foreign commercial firms. We learned about 
these systems through our dialogue with industry. According to industry, such sys- 
tems are demanded by the market today and are in use. They are also largely con- 
sistent with the needs of law enforcement. 

The Department, in conjunction with the rest of the Administration, intends to 
continue our dialogue with industry, and will evaluate the export control process on 
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an ongoing basis in order to ensure that the balance of interests remains fair to all 
concerned. We agree that there are a wide range of national interests that must he 
supported, including U.S. industry competitiveness. Hence, we are committed to con- 
tinued review and dialogue with industry. 

At the same time, we must recognize that market forces will only take us so far. 
To the extent that criminal activity, such as terrorism or child pornography, occurs 
outside the business environment, criminals would rather lose data than have it 
seized by law enforcement. Thus, more must be done. Therefore, the Department 
of Justice is also trying to address the threat to public safety from the widespread 
use of encryption by enhancing the ability of the Federal Bureau of Investigation 
and other law enforcement entities to obtain the plaintext of encrypted commu- 
nications. Among the initiatives is the funding of a centralized technical resource 
within the FBI. This resource, when fully established, will support federal, state, 
and local law enforcement in developing a broad range of expertise, technologies, 
tools, and techniques to respond directly to the threat to public safety posed by the 
widespread use of encryption by criminals and terrorists. It will also allow law en- 
forcement to stay abreast of rapid changes in technology. Finally, it will enhance 
the ability of law enforcement to fully execute the wiretap orders, search warrants, 
and other lawful process issued by courts to obtain evidence in criminal investiga- 
tions when encryption is encountered. However, we must recognize that these ef- 
forts — while critical — do not (like market forces) alone provide an adequate solution 
to the encryption problem, as the widespread use of non-recoverable encryption by 
criminals would quickly overwhelm any possible law enforcement technical re- 
sponse. 


THE PROTECT ACT 

In light of the above, the proposed Promote Reliable On-Line Transactions to En- 
courage Commerce and Trade Act raises several concerns from the perspective of 
the Department of Justice. First, the Act may impede the voluntary development 
of products that could assist law enforcement in obtaining access to plaintext. The 
Administration believes that the development of such products is important for a 
safe society. For example, the Act might preclude the United States government 
from utilizing useful and appropriate incentives to develop or use key recovery tech- 
niques, such as purchasing key recovery products for its own use and supporting 
pilot projects that demonstrate the viability of key recovery. 

Second, the Act also could impair the government’s ability to engage in secure 
electronic commerce. We are concerned that the breadth of the language in sub- 
section 202(c) may limit the ability of an agency to require a certain type of authen- 
tication mechanism for transactions between the public and the government. (For 
example, in the context of an electronic filing of a regulatory report, a teix return, 
or an application for benefits, authentication of the filer’s identity is critical, includ- 
ing for any subsequent enforcement action.) This concern is raised because the defi- 
nition of “encryption” includes the use of mathematical formulas to preserve not 
only confidentiality, but also integrity or authenticity. 

Third, the PROTECT Act places responsibility for developing techniques for ob- 
taining lawful access to the plaintext of communications and data in the National 
Institute for Standards and 'Technology (NIST). As I noted above, the Department 
of Justice has already begun to create a centralized technical resource within the 
FBI to develop a broad range of expertise, technologies, tools, and techniques to re- 
spond to the use of encryption by criminals and terrorists. In my view, the responsi- 
bility for developing such tools and techniques should in this case lie with law en- 
forcement, because it is law enforcement that has the operational expertise to un- 
derstand the requirements for such tools and techniques to be effective. Moreover, 
it is law enforcement that will actually have to put the techniques into practice. In- 
stead of conferring this new responsibility on NIST, I would request that Congress 
continue to support our efforts to develop technical expertise within the law enforce- 
ment community. 

Fourth, we share the deep concern of the National Security Agency that the pro- 
posed protect Act would harm national security and public safety interests 
through the liberalization of export controls far beyond our current policy. Among 
other decontrols, the proposed Act provides that a product is to be exportable if a 
product of equivalent strength or key length will be available outside the United 
States in the next 12 months — even if the product of supposedly equivalent strength 
is intended for different uses, is not user-friendly or widely used, is not cost-competi- 
tive, or does not present the same threats to national security. We are concerned 
that this considerable decontrol of robust encryption will cause in the near term the 
easy acquisition of robust encryption products by terrorist organizations and inter- 
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national criminals and frustrate the ability of law enforcement to combat these 
problems internationally. Moreover, the structure and functions of the proposed 
Encryption Export Advisory Board raise concerns under separation of powers prin- 
ciples and the Appointments Clause. 

It is also important to consider that our allies concur that unrestricted export of 
encryption poses a significant risk to national security, especially to regions of con- 
cern. As recently as December 1998, the thirty-three members of the Wassenaar Ar- 
rangement reaffirmed the importance of export controls on encryption for national 
security and public safety purposes and adopted agreements to enable governments 
to review exports of hardware and software with a 56-bit key length and above and 
mass-market products above 64 bits, consistent with national export control proce- 
dures. Thus, the elimination of U.S. export controls, as provided by the proposed 
Act, would severely hamper the international community’s efforts to combat such 
international public safety concerns as terrorism, narcotics trafficking, and orga- 
nized crime. 

In light of these factors, we believe that the Administration’s more cautious bal- 
anced approach is the best way to protect our commercial interests, including our 
interest in ensuring the success of U.S. industry and electronic commerce, while si- 
multaneously protecting law enforcement and national security interests. We believe 
that legislation that eliminates or substantially reduces export controls on 
encryption could upset that delicate balance and is unwise. 

The recent decision of the United States Court of Appeals for the Ninth Circuit 
in Daniel Bernstein v. United States Department of Justice and United States De- 
partment of Commerce has not changed our view that legislation eliminating or sub- 
stantially reducing export controls is contrary to our national interests. The Depart- 
ment of Commerce and the Department of Justice are currently reviewing the Ninth 
Circuit’s decision in Daniel Bernstein v. United States Department of Justice and 
United States Department of Commerce, and we are considering possible avenues for 
further review, including seeking a rehearing of the appeal en banc in the Ninth 
Circuit. In the interim, the regulations controlling the export of encryption products 
remain in full effect, even as to Professor Bernstein’s own software. 

In sum, we as government leaders should embark upon the course of action that 
best preserves the balance long ago set by the Eramers of the Constitution, pre- 
serving both individual privacy and society’s interest in effective law enforcement. 
We should promote encryption products which contain robust cryptography but that 
also provide for timely and legal law enforcement access to encrypted evidence of 
criminal activity. We should also find ways to support secure electronic commerce 
while minimizing risk to national security and public safety. This is the Administra- 
tion’s approach. We look forward to working with this Committee as it enters the 
markup phase of this bill. 

Senator Burns. Thank you very much. We will get into some 
questions this morning in a few moments. 

We welcome this morning Barbara McNamara, Deputy Director, 
National Security Agency. Thank you for coming this morning. 

STATEMENT OF BARBARA A. McNAMARA, DEPUTY DIRECTOR, 
NATIONAL SECURITY AGENCY 

Ms. McNamara. Thank you, Mr. Chairman, members. 

Senator Burns. Pull up that microphone a little. You have such 
a sweet, soft voice. 

Ms. McNamara. Thank you, Mr. Chairman. There are other peo- 
ple in this room who would probably take issue with that comment, 
but I am pleased to hear it. 

Senator Burns. They are not the chairman. 

Ms. McNamara. But thank you very much, and it is a pleasure 
to be here today to talk about this particular bill and its impact 
on national security from NSA’s standpoint. 

NSA plays a critical role in our national security. We intercept 
and analyze the communications signals of foreign adversaries to 
produce critically unique and actionable intelligence reports for our 
national leaders and military commanders. Very often time is of 
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the essence. Intelligence is perishable. It is worthless if we cannot 
get it to the decision-maker in time to make a difference. 

Signals intelligence proved its worth in World War II when the 
United States broke the Japanese naval code and learned of their 
plans to invade Midway Island. This significantly aided the U.S. 
defeat of the Japanese fleet and helped shorten the war. Today 
NSA is providing that same kind of intelligence support to our 
troops in the former Yugoslavia and other locations around the 
world wherever U.S. military forces are deployed. 

Demands on NSA for timely intelligence have only grown since 
the breakup of the Soviet Union and have expanded into national 
security areas of terrorism, weapons proliferation, and narcotics 
trafficking. Currently many of the world’s communications are 
unencrypted. If not controlled, encryption will spread and be widely 
used by foreign adversaries that have traditionally relied upon 
unencrypted communications. As a result, much of the crucial in- 
formation we are able to provide today could quickly become un- 
available to U.S. decision-makers. 

As you review the PROTECT Act, it is very important that you 
understand the significant effect certain provisions of this bill will 
have on national security. In particular, NSA is concerned about 
the establishment of an Encryption Export Advisory Board heavily 
weighted to private sector representation. This effectively cedes 
control over U.S. export policy to the private sector. 

Furthermore, the board is to base its recommendation for export 
on the foreign availability or public availability of comparable prod- 
ucts. In the interests of national security, encryption export policy 
should not and cannot be based solely on foreign availability. 

The PROTECT Act calls for the export of a product greater than 
64 bits if it will generally be widely available from a foreign sup- 
plier within the next 12 months. Any policy based on the foreign 
or public availability of a comparable product, especially a year in 
advance of its actual appearance in the marketplace, will force ad- 
ministration policy to be driven by unfounded market trends with- 
out consideration of national security or foreign policy interests. 

Foreign products are often not as widely used as reported, as se- 
cure as advertised, or as easy to use for lack of an infrastructure 
as represented. In many cases, a foreign encryption product is sub- 
ject to the export controls of the country in which it is manufac- 
tured. In the case of the other 32 Wassenaar nations, an encryption 
product is held to the same or similar standards as U.S. products. 

In addition, there are other important concerns that must be 
taken into consideration when deciding if a product should be ex- 
ported, such as to whom the product is exported and for what pur- 
pose. In that regard, the PROTECT Act also eliminates the end 
user reporting that is so valuable to national security. 

The PROTECT Act permits strong encryption products to be ap- 
proved under a license exception for export to so-called “trust- 
worthy entities and regions” without prior government knowledge 
of intended end users. These include any foreign partners of U.S. 
companies, other governments, and almost any foreign commercial 
firm in any country. Some end users could in fact be targets of na- 
tional security interests, such as narcotics traffickers. 
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The PROTECT Act also automatically decontrols the export of 
strong encryption in the form of systems using the Advanced 
Encryption Standard to any destination upon adoption of AES, but 
at least by January 1, 2002. While current U.S. policy has opened 
up many sectors in many nations, it has done this in a thoughtful 
manner that miniminizes the risks to important national security 
interests. The PROTECT Act upsets this delicate balance by widely 
expanding exports without due consideration to national security. 

Finally, the PROTECT Act’s 15-day technical review period is too 
rigid to permit a meaningful technical review. The government 
needs the opportunity to review a proposed export to assure it is 
compatible with U.S. national security interests and requires the 
ability to deny an export application if national security concerns 
are not adequately addressed. 

The ability to know what is being considered for export is a key 
part of U.S. export control policy. In some cases today, this process 
takes longer than 15 days because insufficient information is pro- 
vided as part of the initial application. 

Let me make it clear. We want U.S. companies to effectively com- 
pete in world markets. In fact, it is something that we strongly 
support as long as it is consistent with national security needs. 

In summary, the PROTECT Act will harm national security. It 
will make NSA’s job of providing critical actionable intelligence to 
our leaders and military commanders difficult, if not impossible, 
thus putting our Nation’s security at considerable risk. The United 
States cannot have an effective decision-making process or a strong 
fighting force or a responsive law enforcement community or a 
strong counterterrorism capability unless the information required 
to support them is available in time to make that difference. 

Thank you, gentlemen. 

[The prepared statement of Ms. McNamara follows:] 

Prepared Statement of Barbara A. McNamara, Deputy Director, National 

Security Agency 

Mr. Chairman, thank you for giving me the opportunity today to discuss the im- 
portant issue of encryption. I will be discussing the national security needs for ex- 
port controls on encryption and why we oppose legislation that would effectively lift 
those controls. I will then address specific concerns NSA has with provisions of the 
PROTECT Act. However, I should like to begin by briefly introducing the National 
Security Agency (NSA) and its mission. 

The National Security Agency was founded in 1952 by President Truman. As a 
separately organized agency within the Department of Defense, NSA provides sig- 
nals intelligence to a variety of users in the Federal Government and secures infor- 
mation systems for the Department of Defense and other U.S. Government agencies. 
NSA was designated a Combat Support Agency in 1988 by the Secretary of Defense 
in response to the Goldwater-Nichols Department of Defense Reorganization Act. 

The ability to understand the secret communications of our foreign adversaries 
while protecting our own communications — a capability in which the United States 
leads the world — gives our nation a unique advantage. The key to this accomplish- 
ment is cryptology, the fundamental mission and core competency of NSA. 
Cryptology is the study of making and deciphering codes, ciphers, and other forms 
of secret communications. NSA is charged with two complementary tasks in 
cryptology: first, exploiting foreign communications signals and second, protecting 
the information critical to U.S. national security. By “exploitation,” I am referring 
to signals intelligence, or the process of deriving important intelligence information 
from foreign communications signals; by “protection” I am referring to providing se- 
curity for information systems. Maintaining this global advantage for the United 
States requires preservation of a healthy cryptologic capability in the face of unpar- 
alleled technical challenges. 



33 


It is the signals intelligence (SIGINT) role that I want to address today. Our prin- 
cipal responsibility is to ensure a strong national security environment by providing 
timely information that is essential to critical military and policy decision making. 
NSA intercepts and analyzes the communications signals of our foreign adversaries, 
many of which are guarded by codes and other complex electronic countermeasures. 
From these signals, we produce vital intelligence reports for national deci- 
sion makers and military commanders. Very often, time is of the essence. Intel- 
ligence is perishable; it is worthless if we can not provide it in time to make a 
difference in rendering vital decisions. 

For example, SIGINT proved its worth in World War II when the United States 
broke the Japanese naval code and learned of their plans to invade Midway Island. 
This intelligence significantly aided the U.S. defeat of the Japanese fleet. Subse- 
quent use of SIGINT helped shorten the war. NSA continues today to provide vital 
intelligence to the warfighter and the policy maker in time to make a difference for 
our nation’s security. Demands on us in this arena have only gown since the break- 
up of the Soviet Union and have expanded to address other national security threats 
such as terrorism, weapons proliferation, and narcotic trafficking, to name a few. 

Because of these growing serious threats to our national security, care must be 
taken to protect our nation’s intelligence equities. Passage of legislation that decon- 
trols the export of strong encryption will significantly harm NSA’s ability to carry 
out our mission and will ultimately result in the loss of essential intelligence report- 
ing. This will greatly complicate our exploitation of foreign targets and the timely 
delivery of intelligence to decision makers because it will take too long to decrypt 
a message — if indeed we can decrypt it at all. 

Today, many of the worst’s communications are unencrypted. Historically, 
encryption has been used primarily by governments and the military. It was em- 
ployed for confidentiality in hardware-based systems and was often cumbersome to 
use. As encryption moves to software-based implementations and the infrastructure 
develops to provide a host of encryption-related security services, encryption will 
spread and be widely used by other foreign adversaries that have traditionally re- 
lied upon unencrypted communications. The decontrol of encryption exports would 
accelerate the use of encryption by many of these adversaries and as a result, much 
of the crucial information we are able to gather today could quickly become unavail- 
able to us. National security must have an opportunity to conduct a meaningful re- 
view of encryption products prior to their export. In the past, this review process 
has provide us with valuable insight into what is being exported, to whom, and for 
what purpose. Without this review and the ability to deny an export application, it 
will be impossible to control exports of encryption to individuals and organizations 
that threaten the United States. For instance, decontrol will undermine inter- 
national efforts to prevent terrorist attacks, and catch terrorists, drug traffickers, 
and proliferators of weapons of mass destruction. 

Please do not confuse the needs of national security with the needs of law enforce- 
ment. The two sets of interests and methods vary considerably and must be ad- 
dressed separately. The law enforcement community is primarily concerned about 
the use of non-recoverable encryption by persons engaged in illegal activity. At NSA, 
we are primarily focused on preserving export controls on encryption to protect na- 
tional security. 

While our mission is to provide intelligence to help protect the country’s security, 
we also recognize that there must be a balanced approach to the encryption issue. 
The interests of industry and privacy groups, as well as of the Government, must 
be taken into account. Encryption is a technology that will allow our citizens to fully 
participate in the 21st Century world of electronic commerce. It will enhance the 
economic competitiveness of U.S industry. It will combat unauthorized access to pri- 
vate information and it will deny adversaries from gaining access to U.S. informa- 
tion wherever it may be in the world. 

To promote this balanced approach, we are engaged in an ongoing and productive 
dialogue with industry. The recent Administration update to the export control reg- 
ulations addresses many industry concerns and has significantly advanced the abil- 
ity of U.S. vendors to participate in overseas markets. Of equal significance, the 
Wassenaar nations, representing most major producers and users of encryption, 
agreed unanimously in December 1998 to control strong hardware and software 
encryption products. The Wassenaar Agreement clearly shows that other nations 
agree that a balanced approach is needed on encryption policy and export controls 
so that commercial and national security interests are addressed. Both are positive 
developments because they open new opportunities for U.S. industry while still pro- 
tecting national security. These are examples of the kinds of advances possible 
under the current regulatory structure, which provides greater flexibility than a 
statutory structure to adjust export controls as circumstances warrant in order to 
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meet the needs of Government and industry. We want U.S. companies to effectively 
compete in world markets. In fact, it is something we strongly support as long as 
it is done consistently with national security needs NSA supports the recent updates 
to the Administration’s policy. The export provisions were carefully designed to open 
up large commercial markers while tying to minimize potential risk to national se- 
curity. We believe significant progress was made. 

As you review the PROTECT Act, it is very important that you understand the 
significant effect certain provisions of this bill will have on national security. In par- 
ticular, NSA is concerned about the establishment of an Encryption Export Advisory 
Board, heavily weighted to private sector representation. This effectively cedes con- 
trol over U.S. encryption export policy to the private sector. Furthermore, the Board 
is to base its recommendation for export on the foreign availability or public avail- 
ability of comparable products. In the interests of national security, encryption ex- 
port policy should not be based solely on foreign availability or public availability. 
The PROTECT Act calls for the export of a product greater than 64-bits if it will 
be generally or widely available from a foreign supplier within the next twelve 
months. Any policy based on the foreign or public availability of a comparable prod- 
uct, especially a year in advance of its actual appearance in the marketplace, will 
force Administration policy to be driven by unfounded market trends without consid- 
eration of national security or foreign policy interests. 

Foreign products are often not as widely used as reported, as secure as advertised, 
or as easy use (for lack of an infrastructure) as represented. In many cases, a for- 
eign encryption product is subject to the export controls of the country in which it 
is manufactured. In the case of the other 32 Wassenaar nations, an encryption prod- 
uct is held to the same, or similar, standards as U.S. products. In addition, there 
are other important concerns that must be taken into consideration when deciding 
if a product should be exported, such as to whom the product is exported, and for 
what purpose. In that regard, the PROTECT Act also eliminates the end-user re- 
porting that is so valuable to national security. 

The PROTECT Act permits strong encryption products to be approved under a li- 
cense exception or export to so-called “trustworthy” entities and regions without 
prior government knowledge of intended end-users. These include any foreign part- 
ners of U.S. companies, other governments, and almost any foreign commercial firm 
in any country. Some end-users could, in-fact, be targets of national security inter- 
est, such as narcotics traffickers. The PROTECT Act also automatically decontrols 
the export of strong encryption in the form of systems using the Advanced 
Encryption Standard (AES) systems to any destination, upon the adoption of AES, 
but at least by January 1, 2002. While current U.S. policy has opened up many sec- 
tors in many nations, it has done this in a thoughtful manner that minimizes the 
risk to important national security interests. The PROTECT Act could upset this 
delicate balance by widely expanding exports without due consideration to national 
security. 

Finally, the PROTECT Act’s 15-day technical review period is too rigid and too 
short to permit a meaningful technical review. The Government needs the oppor- 
tunity to review a proposed export to assure it is compatible with U.S. national se- 
curity interests and requires the ability to deny an export application if national se- 
curity concerns are not adequately addressed. The ability to know what is being con- 
sidered for export is a key part of U S. export control policy. In some cases today, 
this process takes longer than 15 days because insufficient information is provided 
as part of the initial application. 

In summary, the PROTECT Act will harm national security by making NSA’s job 
of providing vital intelligence to our leaders and military commanders difficult, if 
not impossible, thus putting our nation’s security at some considerable risk. Our na- 
tion cannot have an effective decision-making process, a strong fighting force, a re- 
sponsive law enforcement community, or a strong counterterrorism capability unless 
the intelligence information required to support them is available in time to make 
a difference. The nation needs a balanced encryption policy that allows U.S. indus- 
try to continue to be the world’s technology leader, but that policy must also protect 
our national security interests. 

Thank you for the opportunity to address the Committee. 

Senator Burns. Thank you. 

I will start it off here. I just want to ask the Deputy Director, 
why is it that we have not been very successful in our negotiations 
with other countries to come up with some kind of international 
policy with regard to the use of or the export of robust encryption? 
In other words, we have been talking to our, I think he is related 
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to an ambassador, Aaron, and we have been told that countries are 
moving to export controls, especially in the European Union and 
around the country, of which no agreement to my knowledge and 
we have drawn no conclusions to move in that direction in the last 
4 or 5 years ever since we have been doing this. 

Ms. McNamara. I believe we have had success in that, Mr. 
Chairman last December — well, let me begin by saying, last Sep- 
tember the U.S. Government, the U.S. administration, relaxed ex- 
port controls substantially, to include the 128-bit encryption that 
Senator Ashcroft was addressing earlier and to cover the firms in 
his home State that actually have locations overseas, to allow them 
to he able to use very strong encryption, 128-bit, to protect theirs. 

Now, in December we took the U.S. policy to the Wassenaar 
countries. Those are 33 nations who are the principal producers of 
strong encryption around the world. That Arrangement — we took 
the U.S. relaxation strategy to that group of people and what we 
did at the time successfully was to close a loophole that the 
Wassenaar Arrangement had previously opened which was pro- 
viding an unlevel playing field and disadvantaging U.S. software 
companies. 

So last December we sought and got agreement by 33 nations to 
close that loophole. The Arrangement allows for all 33 of those na- 
tions to put in place, those who already did not have in place, ex- 
port controls that are essentially the same level as the controls 
that the U.S. administration relaxed to last September. 

With regard to what is going on in the European Union, we, the 
Administration — and I will turn this over to Secretary Reinsch to 
follow up on — but we are keeping our eye very closely on what is 
going on today in the European Union and what those foreign gov- 
ernments are thinking about in terms of encryption policies with 
regard to Europe. It is never our intent to allow anything to occur 
by foreign governments that would disadvantage U.S. industry. 

Senator Burns. Senator Ashcroft. 

Senator Ashcroft. Secretary Reinsch, would you say that 128- 
bit encryption is widely available and widely used today? 

Mr. Reinsch. No, I would say that it is available. Whether it is 
widely available is a judgment call. If it is not widely available 
today, it will be soon. It is becoming the state-of-the-art, if you will, 
so I think it is a matter of time, and I would not have a big argu- 
ment with you over the adjective. 

Whether it is widely used or not is a more complicated question, 
and I think Ms. McNamara commented on that in her statement. 
We believe that, for the reasons she cited, use is significantly less 
than the existence of the products. 

Senator Ashcroft. Do you know of any case where there has 
been a prosecution or an enforcement action taken against people 
who have, or criminals who have used encryption outside the range 
of encryption that has been provided as acceptable? It would be an 
export, I guess, enforcement because the use would be a violation 
of the export regulations. Have you enforced this against anyone? 

Mr. Reinsch. Yes, sir. 

Senator Ashcroft. How many cases have there been? 

Mr. Reinsch. I will have to get you the number. We have a num- 
ber of investigations ongoing, which of course we would not want 
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to comment on. We have had a number of — we will have to get you 
the number. I would say single digits at this point. 

Senator Ashcroft. But it is only illegal to export the encryption? 
It is not illegal to import the encryption? 

Mr. Reinsch. That is correct, there are no restraints on domestic 
use or on imports. 

Senator Ashcroft. So that it is a one way? In other words, if ter- 
rorists conspire overseas to do something, like to effect a terrorist 
act here in the United States, they can send material in that is 
encrypted to the United States? 

Mr. Reinsch. Well, we do not control in any event messages or 
information that is encrypted. What is controlled is the encryption 
that one would employ. 

Senator Ashcroet. Is the sending of an encrypted message from 
the United States to another jurisdiction, does that qualify as an 
export of the encryption? 

Mr. Reinsch. No. 

Senator Ashcroft. It does not. So that — 

Mr. Reinsch. Unless the message contains an encryption algo- 
rithm which is controlled. But if I sent — if you were in Bonn and 
I sent you an e-mail and it is encrypted, no. 

Senator Ashcroft. So it is true that the person or the terrorist 
organization which buys its encryption from Siemens in Germany 
can operate say in the Middle East and send messages back and 
forth to the United States, having imported the algorithm to the 
United States from Germany and have taken the German algo- 
rithm to the Middle East, and they can communicate back and 
forth without violating any of our laws currently? 

Mr. Reinsch. Yes. There is no — it was never the intent of our 
policy to try to deal with that. 

Senator Ashcroft. Well, it seems to me that that is the threat 
that you keep saying that we are avoiding by having this policy, 
and yet you just described that it is not our intent to stop that 
threat with our policy. To use that as the basis for not allowing our 
companies to compete, at a time when you say we do not care if 
other companies compete in that way, gets to the heart of what 
confounds me about our policy here. 

We have basically said every other country that wants to can go 
ahead and do this in the world and terrorists can use it and have 
complete access to the utilization of this encrypted for all the bad 
reasons, but American firms cannot be involved in exporting it. It 
just seems that is where the disconnect comes with this Senator 
and that is what I am struggling with. 

You said that section 102 incentives — provides an incentive to 
move the development of encryption offshore in this bill. 

Mr. Reinsch. Yes, sir. 

Senator Ashcroft. It seems to me that we have just described 
the Administration policy as a monumental incentive to move 
encryption offshore because we have indicated that offshore-pro- 
duced encryption can be used both to send and receive robust 
encrypted material from the United States, to and from, without 
violating the policy or the law. 
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Mr. Reinsch. Well, if I may comment, you have gone to one of 
the core issues, and I think it is an important dialogue to have. Let 
me make a small point first and then the larger point. 

On the small point, the difference between section 102 and our 
policy is that our policy now would not permit a company to trans- 
fer encryption technology or production technology or encryp- 
tion algorithm overseas for production purposes. Section 102 would, 
and that is the distinction we are making. 

But the larger point you are making is a more important one, 
and let me say two things about that, if I may. One is that I think 
that, as Director McNamara acknowledged in her testimony, this 
is not a policy and there probably is no policy that is going to be 
air-tight with respect to our ability to prevent the kinds of people 
you cited, terrorists in your example, from obtaining and using ro- 
bust encryption. 

We do not believe that we can deal with every situation. The goal 
of our policy is to try to promote use in the marketplace of products 
that are law enforcement and national security-friendly, recog- 
nizing that a determined, committed terrorist who wants to use 
encryption can find ways around such a policy. But we believe by 
making, if we can, through market forces, the market standard, if 
you will, products that are more friendly to the interests of my two 
colleagues, what we will do over time is have more people, includ- 
ing some of the people that you are talking about, using this kind 
of encryption, which gives us some advantages. That is not going 
to happen in every case. We do not believe we can make it happen 
in every case. 

Now, the second point that relates to what you said is this ques- 
tion of foreign availability, and I would like to comment on that be- 
cause you commented in your opening statement on this as well. 
I think what Director McNamara said was that we do not want for- 
eign availability to be the sole criterion. 

Let me say that if it were the sole criterion for export control pol- 
icy, we would not have controls on machine tools, we would not 
have controls on biotoxins, we would not have controls on chemical 
weapons precursors, semiconductor manufacturing technology, or 
computers at virtually any level. There are very few technologies 
over which the United States has a monopoly any longer, and you 
are quite right in saying that encryption is not one of them, but 
neither are the ones that I have mentioned. 

If we are going to say that foreign availability ought to be our 
single standard or it ought to be the dispositive standard, the net 
result of that is I am not going to have very much to do in my job. 
It is our belief that you need to balance foreign availability consid- 
erations, obviously, and we do weigh foreign availability in our 
judgments without question, and Director McNamara just com- 
mented on why this is a particular issue in the European Union 
case. 

But at the end of the day — and the Congress has been telling me 
this for 12 months with respect to satellites, with respect to com- 
puters, with respect to machine tools, that foreign availability is 
not the last word on the subject. Now, I think that it is ironic, to 
say the least, if the Congress is going to turn around on encryption 
and say that foreign availability is the last word on the subject. 
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Ms. McNamara. May I follow up, please? The fact that one ter- 
rorist is using strong encryption that they either bought in the 
United States and took overseas with them or bought in Europe 
and is using it to communicate with people in this country is not 
what is of concern to us. On an individual basis, the U.S. Govern- 
ment I believe is smart enough to figure out a way to solve that 
particular problem or address that particular problem. 

What we are talking about here is the issue of putting in place 
legislation which would allow the ubiquitous use of encryption 
around the world, independent of individuals. We can always solve 
an individual problem with an individual solution. But the subject 
of ubiquitous encryption has dramatic impact on our ability to do 
our national security business, and let me offer, if the Senator 
wishes, a classified presentation on some of the subjects that I can- 
not address in this particular room. 

Thank you. 

Senator Ashcroft. Mr. Chairman, may I just clarify an item or 
two? 

Senator Burns. You may. 

Senator Ashcroft. Because these remarks have been extensive. 

Mr. Reinsch. Sorry about that. 

Senator Ashcroft. No, that is all right. I am pleased to have 
these remarks. 

Mr. Reinsch. You wind me up and get me started. These things 
happen. 

Senator Ashcroft. Well, thank you. Especially when I think you 
are supporting my position, I welcome your remarks. 

Mr. Reinsch. Then I misspoke. [Laughter.] 

Senator Ashcroft. The Director just indicated that a person 
could buy and take overseas robust encryption from the United 
States and use it overseas. Is that considered an export? 

Mr. Reinsch. Yes, that would not be permitted. 

Senator Ashcroft. Well then, you disagree with her that a per- 
son can do that legally? 

Ms. McNamara. I did not say it was legal. I do not think we will 
ever prevent everybody from committing a crime. 

Senator Ashcroft. OK. Well, I thought we were — I would just 
like to indicate that I did not raise the issue of terrorists. I am not 
interested in protecting terrorists here. I am interested in pro- 
tecting our industry. But every time I want to protect the industry, 
one of you guys brings out the terrorist card and you throw it on 
the table and you say: “We cannot protect America because there 
are these evil people out there that are going to encrypt messages.” 

So I am interested in protecting U.S. companies, and I am also 
interested in protecting individuals. I guess some time I would like 
to have an answer why big companies and big business should 
have better, a greater right to privacy than individuals should in 
this country, and that commercial speech should be entitled to 
more integrity and privacy than individual speech. 

So the idea of ubiquitous encryption — which I am charmed by 
that phrase. I mean, I am going to try to use it as often as I can. 

Ms. McNamara. May I retract that from the record? 

Senator Ashcroft. I thought it might be a description of Senate 
speeches, but [Laughter.] 
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I think ubiquitous encryption is probably what we are headed to- 
ward in the marketplace of the world, and I think it is likely to be 
based on software developed outside the United States if we make 
it impossible for our software producers to have robust encryption 
here, because I think people are going to prefer to have privacy in 
their communications. I think most of us do. Very few of us like 
the idea of our calls or our communications being intercepted. 

We are aware of technology that makes heard those things which 
were not heard. A whisper is no longer a whisper; it can become 
a shout with the right listening device. What we once thought was 
a secure transmission is now available. We want, we yearn for se- 
curity as individuals, and the idea somehow that big business is 
entitled to encryption and that individuals are not in their commu- 
nication is one of the hurdles that we have to kind of come together 
on somehow to solve this problem. 

Thank you, Mr. Chairman. 

Senator Burns. Senator Cleland, do you have a statement? I am 
sorry. We have had some arrivals here. 

STATEMENT OF HON. MAX CLELAND, U.S. SENATOR 
FROM GEORGIA 

Senator Cleland. Mr. Chairman, I would just like my ubiquitous 
opening statement to be 

Ms. McNamara. I think I am going to regret I ever used that 
term. 

Senator Cleland [continuing]. Submitted, without objection. 

Senator Burns. I want somebody to spell it. 

Senator Ashcroft. The National Spelling Bee concluded last 
week. 

Senator Cleland. Thank you all very much. 

I am an old Army signal officer and I am a little bit familiar with 
encryption and the power of encryption, both for the good guys and 
the bad guys. Mr. Robinson, I would like for you to help me a little 
bit. I am just trying to learn some new terminology here about re- 
covery. Apparently for law enforcement recovery is a key item, so 
nonrecoverable encryption becomes a problem. 

Recovery of what? How can you recover something that is 
encrypted, or is that the issue itself? 

Mr. Robinson. Well, I think it is. Senator, in a sense. What we 
are really interested in is maintaining our ability — when we have 
probable cause and we go to court and get an order for electronic 
surveillance through a careful process that Congress has set out — 
to overhear communications. If what we get at the end of the road 
is encrypted, unrecoverable gibberish, we have a serious law en- 
forcement problem. 

I think that is true also of stored electronic data. Increasingly, 
as people store their records in electronic form, on laptops and oth- 
ers, we can get a search warrant — and frankly, I agree with Sen- 
ator Ashcroft. I think privacy interests are very, very important 
and I think people have a right to privacy. We are not looking for 
an opportunity to evade or invade individuals’ or companies’ rights 
to privacy, and that is why I said in my statement I think it is im- 
portant to have robust encryption. 



40 


But in those situations in which we have probable cause and we 
have procedures whereby we can go to court and get a wiretap 
order, a search warrant, we are going to be substantially handi- 
capped if we do not try to contribute to an infrastructure that al- 
lows us to get plaintext out of these materials. That is our objec- 
tive. 

The how is a technological question. As the chairman indicated, 
I think we need the resources to try to solve this problem of what 
do we do with encrypted evidence of criminal activity. We have got 
to solve that problem, and we hope that there will be an infrastruc- 
ture, a contribution to an infrastructure, that will allow us to get 
plaintext when law enforcement needs to have it to prevent crimes 
from occurring, to investigate them, and then to put the evidence 
in. 

So that is essentially our equity, I think, in this debate. 

Senator Cleland. Help me out a little bit here. If we ease up on 
controls regarding exports of software, encryption software, that ex- 
pands the bits, namely expands I guess the capability of data or 
information being encrypted, if we ease up on controls that allow 
for those software packages which allow for expansion of the bits 
or expansion of encryption to be sold abroad, then what you are 
saying is that we might get that back as a pie in the face. In other 
words, we might get that back in a greater difficulty for law en- 
forcement to “recover” information; is that what I am hearing you 
say? 

Mr. Robinson. Yes, I think that is true. 

Senator Cleland. Ms. McNamara, in terms of the pie in the face 
for you, that would be the lesser ability to, shall we say, to use the 
terminology, recover, shall we say, intelligence to then pass on to 
our commanders in the field? That is what we are talking about? 

Ms. McNamara. That is an accurate characterization of the situ- 
ation, Senator. 

Senator Cleland. Mr. Reinsch, it seems like to me that this 
dovetails somewhat into the issue that we are all struggling with. 
I am on the Governmental Affairs Committee and the Senate 
Armed Services Committee. We are struggling with the issue of 
American technology, sensitive American technology, winding up in 
the hands of others, the most recent example being the Chinese, 
not just the espionage of our nuclear secrets and missile tech- 
nology, but some of the, shall we say, leaked technology on missile 
and satellite information that wound up in the hands of the Chi- 
nese. 

I would say that I was one of those who supported the licensing 
of this kind of technology to move from the Commerce Department 
to the State Department. I guess I am glad to see your bona fide 
concern, I think, in the Commerce Department about easing up on 
export controls on this sensitive information or this sensitive 
encryption capability. 

I gather that the Commerce Department is very sensitive to this, 
is that correct? 

Mr. Reinsch. Yes, and we would also say we were very sensitive 
in the satellite case as well, as I think I did say before your sub- 
committee when that first came up. 
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But yes, the decisions we make — the export control system of the 
United States is based on, leaving aside short supply, which is not 
on the table, controlling exports for national security and foreign 
policy reasons. That is the filter through which every decision we 
make goes. One might agree or disagree with a particular decision, 
but clearly in this case national security is a paramount consider- 
ation for us. 

Senator Cleland. Mr. Robinson, could you share with me a little 
bit. Does the Justice Department have some role in being involved 
in improving the U.S. end user verification system for supercom- 
puters and strong encryption products? Is that a role that you 
play? 

Mr. Robinson. Not directly, we do not. We are obviously con- 
cerned about the extent to which these issues interface with our 
ability to do our job. 

Mr. Reinsch. We do that. Senator. 

Senator Cleland. That is through you in the Commerce Depart- 
ment? 

Mr. Reinsch. Yes, end user visits, which are both pre- and 
post — that is, we do some in advance of making the decision about 
a license because we want to check out the bona fides of the end 
user, and post because we want to see if the item actually went 
where it was supposed to go and if it is being used as it was in- 
tended — has been an important enforcement tool for us for decades. 

It is not the only enforcement tool we use by any means, and it 
has its imperfections. It is also very expensive. I would say that in 
general Congress has been less than generous with the resources 
that it would take to do more. 

We have also been handicapped, frankly, on computers in spe- 
cific, by a congressional requirement that we visit every one of 
them. This has forced us, for example, to visit subsidiaries of Amer- 
ican companies who are using them, banks, companies that bought 
one computer and then 6 months later bought a second one; we 
have had to visit them twice. It has prevented our agents from 
doing what they do best, which is figuring out what the risks are 
and spending their investigatorial time and talent on the places 
that problems. 

We have had to check a lot that we think are not problems. 
When you see the report of our inspector general on this subject 
next week, I think that — I should not get into this in public, but 
I think that he will make a distinction between visits that are use- 
ful and visits that are not useful. We want to do more of the 
former. 

Senator Cleland. Thank you very much. 

In closing out my questions, Mr. Chairman — I know I am out of 
time here — Ms. McNamara, I gather that your message to us is 
that we should tread very softly on this issue of encryption and 
opening up or loosening up export controls because it does involve 
sensitive issues of national security? 

Ms. McNamara. Yes, sir. 

Senator Cleland. Thank you, Mr. Chairman. 

Senator Burns. Thank you. 

Senator Dorgan, you have just joined us. Do you have a small 
statement? I am going to turn the chairmanship over to Senator 
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Frist — I have got an 11 o’clock that is sort of very important to 
me — if you would agree to do that. We have got one more panel to 
go, by the way. 

STATEMENT OF HON. BYRON L. DORGAN, U.S. SENATOR 
FROM NORTH DAKOTA 

Senator Dorgan. Mr. Chairman, I came late and I have to leave 
in a moment because of some other hearings, but I just want to 
make in 30 seconds a comment about all of this. I, as you know, 
worked with you in the last Congress to try to resolve some of 
these issues. These are very difficult issues. 

You raise questions that I think are very important questions. 
Yet the whole export control area is very difficult. What used to be 
a supercomputer is now a laptop, available to anybody, any time, 
anywhere in the world. So as we try to sift through all of these 
issues and consider national security concerns, we also have to deal 
with the reality of what is happening in the world. 

My hope is that we can find a resolution that is a thoughtful res- 
olution, protecting our national security interests and at the same 
time recognizing what is happening in the rest of the world. 

I appreciate the attention Senator Burns has given to this over 
some long period of time, that this is not an easy issue, and he has 
spent a great deal of time on it. 

So thank you very much. 

Senator Burns. Thank you. Senator. 

Senator Frist, I am going to turn this over to you. I have an 11 
o’clock. I have tried to wheedle out of that thing two or three times 
and I am not having any more luck now than I had yesterday. 

STATEMENT OF HON. BILL FRIST, U.S. SENATOR 
FROM TENNESSEE 

Senator Frist [presiding]. Thank you, Mr. Chairman. Mr. Chair- 
man before you leave, I would like unanimous consent to have my 
opening statement made a part of the record. 

Senator Burns. You are the chairman. You can do anything you 
want to. 

Senator Frist [presiding]. Thank you very much. 

First of all, I thank all three of you for being here. I have got 
a couple of other questions that I would like to just run through. 

Director McNamara, do the continued export restrictions on U.S. 
encryption products make sense when Wassenaar partners such as 
the U.K., France and Germany have established new policies en- 
couraging their citizens to use strong encryption? 

Ms. McNamara. In terms of the strong use — the use of strong 
encryption by individual nations’ citizens, we support strong use of 
encryption by U.S. citizens. We do believe that U.S. citizens are en- 
titled to privacy for their own purposes. 

In terms of the export controls, however, there are agreements 
and there is compatibility and comparability between those export 
conditions that the United States has with the European partners 
that you mentioned. Now, there are discussions going on in Europe 
today. We have our eye on that. But when we relaxed last Sep- 
tember, the European nations along with other members of the 
Wassenaar nations aligned their overarching documentation that 
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their export control processes should be in line with ours now both 
in hardware and software. 

Senator Frist. Is progress being made there, if you look out? 

Ms. McNamara. Yes, yes. In terms of what we are looking at, we 
still have our eye on Europe. The Administration said last year 
when we did relax to those sectors and encryption bit lengths that 
we would review those again in September, and one of the ingredi- 
ents in that review will clearly be what other foreign governments 
are doing. 

Let me state, though, for the record again, earlier I think it was 
Senator Ashcroft who said that we had — or perhaps it was Con- 
gressman Goodlatte when he was talking — that we had relaxed, 
the relaxation included going from 40 bits to 56 bits. That is clearly 
true, but in all of the sector relief that was given last year there 
is no bit length, as Secretary Reinsch said. It is 128-bits for use in 
banking, finance, commerce — sorry, online commerce, because it 
was recognition that e-commerce was a very important thing for 
U.S. companies and individuals to be able to have access to. So 
there is a large portion of that which is covered by 128-bit 
encryption. 

Senator Frist. Fine. 

Mr. Robinson, OECD, European Community; could you elaborate 
on our global partners’ positions on recoverable encryption products 
and their regulations, and specifically address OECD as well as the 
European Community? 

Mr. Robinson. I think I would defer to the Secretary to give you 
a better answer than I. 

Mr. Reinsch. I can do that. 

Senator Frist. Mr. Secretary. 

Mr. Reinsch. Ambassador Aaron, who is the President’s special 
envoy on this subject, has spent a lot of time with OECD members, 
I believe virtually all of whom are also members of what is known 
as the Wassenaar Arrangement, which is a multilateral export con- 
trol regime that controls encryption items multilaterally. There are 
33 nations in that regime, including Russia, including the NATO 
members, including all of the EU members, and a number of oth- 
ers. 

As Director McNamara has said and as I testified, we have had 
a good bit of success in that group harmonizing the export control 
policies of all 33 of those members. At the same time, the indi- 
vidual countries are developing encryption policies domestically, 
and they have wrestled with the same issues domestically that ev- 
erybody else has wrestled with: Do we want to control imports, do 
we want to control domestic use, what do we want to permit to 
happen in our countries? 

There is a trend, I think it is fair to say, within the EU, which 
is the first place it would begin after here, away from key recovery, 
certainly away from controls on domestic use and in favor of allow- 
ing people within each of these countries to use whatever they 
want. There is, then, a trend away from what I would refer to as 
key escrow or key recovery, the idea that people mandatorily would 
have to provide a spare key with some third party entity, govern- 
ment or nongovernment. 



44 


We have also taken the position that we do not want to do that 
as a mandatory step. We do see an environment for stored data in 
which people may want to do that voluntarily, and we have taken 
exceptions to provisions in some of the bills that we think would 
discourage it voluntarily. 

Most of our trading partners, whether you say OECD or the 
Wassenaar members or NATO, however you define them, are mov- 
ing away from that kind of government involvement in the domes- 
tic marketplace. But at the same time they are all, on the export 
front, as near as we can tell, acting in a way that is generally con- 
sistent both with Wassenaar and with what we are doing. 

Senator Frist. Good. When we talk about appropriate agencies 
or parties to serve as key recovery agents, help me. What sort of 
appropriate agents or parties would that be? 

Mr. Reinsch. Well, mostly private parties, in fact I think exclu- 
sively private parties now. You need to think about it from the 
standpoint of another piece of this issue that is not on the table 
and should not be, which is the question of authentication and reli- 
ability for authentication. This is not a spare key issue, but it is 
a question of a public key infrastructure issue — if I want to send 
you a message, you want to have some certainty that the message 
you receive with my name on it came from me rather than from 
him or someone else, and I want to have some assurance that your 
response came from you and not someone who has intercepted it 
and is masquerading as you. 

That demands some authenticity and some certification that your 
message came from you. What we envision and in fact what a num- 
ber of States have already addressed in their legislation is regu- 
lating the private entities that will provide that authentication 
function. They will not keep spare keys, because the last thing you 
want for authentication purposes is a spare key. 

But what is happening is that private parties are springing up 
that will provide essentially trust services and authentication serv- 
ices to warrant that my messages come from me and that you can 
have some confidence in that. In fact, I think there are probably 
some people in that business on one of the next panels, and you 
might want to pursue the technology with them. 

Senator Frist. Right. Any other comment on that, Mr. Robinson? 

Mr. Robinson. No, Senator. 

Senator Frist. Mr. Secretary, on the issue of research and devel- 
opment on computer security, you are against NIST’s doing that? 

Mr. Reinsch. Not necessarily. I think Justice is. 

Senator Frist. Mr. Robinson. 

Mr. Robinson. Well, we are concerned that law enforcement be 
able to try to develop the techniques necessary to get plaintext be- 
cause, frankly, we are the ones who are going to have to use them 
and we need to have the capacity to do so. We think it is critical 
to public safety and effective law enforcement when we encounter 
encrypted evidence of criminal activities to be able to figure out a 
way to turn that into real information, whether it is an audible 
transmission or stored electronic data. Without that capacity, obvi- 
ously encryption in the wrong hands, as many things, can be a 
powerful tool to prevent law enforcement from preventing crimes 
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and successfully investigating and prosecuting them. So that is a 
concern that we obviously have. 

Senator Frist. I guess then my question, and feel free to com- 
ment, is as we look at standardization of an advanced encryption 
system, whoever is doing that, if it is NIST, needs to be up to date 
with state-of-the-art right where we are. I guess it is not clear to 
me how if you put the research and the development in computer 
security with law enforcement, with the FBI, and then have NIST 
looking at the standardization, how they are really on top of things. 
Or is it both? 

Mr. Reinsch. If I could comment, one of my regrets this morning. 
Dr. Frist, was that I did not have an opportunity to bring with me 
a full and complete statement of NIST’s views on that question. If 
I may, I would like to have them — what I will suggest to them is 
they might get in touch with you directly, knowing of your interest 
in the issue. 

They do what you are describing. They have an extensive com- 
puter security laboratory now. They have a lot of interaction with 
the private sector. They validate products that they test as a serv- 
ice to the private sector. 

I believe their view is that if the Justice Department wants to 
take the activity on, provided for in this bill, that that would be 
all right. If the committee wants to assign it to them, I am sure 
they would defer to the committee’s judgment. 

But what I would prefer is to have them communicate with you 
directly. 

Senator Frist. Fine. 

Mr. Reinsch. I will arrange that. 

Senator Frist. Good. 

Well, thank you. We do have another panel. Would any of you 
like to make any closing statements at all? 

[No response.] 

Senator Frist. Thank you very, very much. We appreciate your 
being with us, and we will ask the second panel to come forward. 

I thank all three panelists for being with us. I will go ahead and 
do the introductions and then we will go in alphabetical order, I 
believe: Mr. David Aucsmith, Chief Security Architect, Intel Cor- 
poration; Mr. Jim Bidzos, Vice Chairman of the Board, Security 
Dynamics Technologies; and Professor Lance Hoffman, School of 
Engineering and Applied Science, Cyberspace Policy Institute. 

Welcome to each of you, and let us begin with Doctor — Mr. 
Aucsmith. 

STATEMENT OF DAVID AUCSMITH, CHIEF SECURITY 
ARCHITECT, INTEL CORPORATION 

Mr. Aucsmith. Thank you, Mr. Chairman, for this opportunity to 
talk to you this morning about the need for fundamental reform of 
America’s encryption policy. I am pleased to appear today on behalf 
of the Business Software Alliance, which together with ACP has 
been in the forefront of efforts to persuade the Government to 
adopt a new U.S. encryption policy. 

I am from Intel. Intel is the world’s largest semiconductor manu- 
facturer and a major supplier of information technology building 
blocks to the global computer and communications industry. We 
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provide our customers with chips, printed circuit boards, assem- 
blies, software — all the ingredients that you typically think of that 
go into a personal computer, servers, and workstations. 

Actually, my being here to speak on behalf of the Business Soft- 
ware Alliance should underscore the fact that encryption is both a 
software and a hardware issue. In fact, as a general note, 56-bit 
hardware products are currently excluded from the favorable treat- 
ment now given by the Administration. That applies only to soft- 
ware products. 

In 1998 we employed more than 40,000 people in the United 
States. We are headquartered in Santa Clara, CA, but have signifi- 
cant manufacturing facilities in a number of States, including Ari- 
zona, New Mexico, Oregon, California, and Massachusetts. 

We urge the committee to pass the PROTECT Act with further 
amendments that would make the bill more fully comport with 
technical and marketing realities. This morning I would like to 
briefly make five points which I believe should underpin our U.S. 
encryption policy. 

First: In an Internet economy, encryption is essential to all busi- 
nesses, not just encryption business. I want to emphasize this 
point. While private sector interest in encryption export reform is 
generally characterized in terms of the competitiveness of Amer- 
ican encryption products abroad, it has become a much larger issue 
for all American businesses. 

In this economy, every business is becoming an Internet busi- 
ness. It will affect all businesses. Cryptography has emerged as the 
essential building block for building trust in the open Internet. 
Without it, the hundreds of billions of dollars of e-commerce cur- 
rently projected to occur by the year 2002 will be at risk. 

Second: Encryption is vital to securing America’s critical infra- 
structures. I participated in the Defense Science Board evaluation 
of America’s critical infrastructures. We focused on the vulner- 
ability of five critical infrastructures and concluded that encryption 
is absolutely essential in their protection. 

The security of any network is only as good as its weakest link. 
All wires have two ends, if you will. America’s infrastructures can- 
not be protected if they are networked, as they will be, with foreign 
infrastructures that use weak encryption. That is why permitting 
exports of strong encryption helps to promote the national security. 

Third: The availability of encryption cannot be reasonably con- 
trolled. Cryptography is just mathematics. Information about cryp- 
tography is widely available from many sources and in many forms. 
It is the subject of numerous academic conferences. It is taught in 
universities throughout the world. 

Moreover, while developing good algorithms is extremely dif- 
ficult, if you will, rocket science, implementing them is relatively 
easy once someone has developed them. 

Fourth: Government-required or mandated plaintext access will 
not work. While mandated plaintext access offers at first glance a 
solution to the Government’s problems, it is not technically possible 
in most circumstances. It does not let law enforcement verify com- 
pliance with access requirements a priori and it does not give na- 
tional security interests access to stored information. 
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There is practically no commercial reason for storing communica- 
tions keys and I believe the need for key recovery of stored data 
is overstated. To be blunt, Intel as a corporation does not plan to 
sell products incorporating key recovery, nor does it expect to im- 
plement a key recovery system for its own use. 

Fifth: The Government needs to find technological alternatives to 
meet its requirements for access to information. Intel agrees that 
access to data communications and stored data by law enforcement 
and intelligence communities is both legitimate and extremely im- 
portant. Clearly, Congress needs to adequately fund the technical 
efforts of these agencies so they can meet the challenges of the next 
century. 

Industry supports additional funding. Industry can also provide 
assistance and is willing to do so. BSA has advocated that the U.S. 
Government should work cooperatively with our Nation’s hardware 
and software manufacturers to develop the technical know-how 
that they need. Technical innovation is predominantly centered in 
the private sector. Only a government-industry cooperative ex- 
change can effectively address the challenge of continued techno- 
logical change. 

In conclusion, let me say that we strongly believe the PROTECT 
Act should be passed, but with further improvements. The PRO- 
TECT Act does not — I mean, the PROTECT Act does begin to real- 
ize the realities of mass market products. It eliminates reporting 
requirements for such products and grants export relief to those 
products at all horizontal layers of the information technology sec- 
tor. 

But the Act still does not grant widespread exportability of mass 
market and publicly available encryption products, and there is a 
complicated bureaucratic process which must be pursued. Not until 
2002 will American industry be able to widely export products that 
are now using what is basically the worldwide standard of 128 bits 
in the form of the Advanced Encryption Standard or its equivalent. 
We believe that it is in our national interest to permit such 
exportability now and we urge the committee to amend the bill ac- 
cordingly. 

Thank you very much. 

[The prepared statement of Mr. Aucsmith follows:] 

Prepared Statement of David Aucsmith, Chief Security Architect, 

Intel Corporation 

Thank you Mr. Chairman for the opportunity to talk to you this morning about 
the need for fundamental reform of America’s encryption policy. I am pleased to ap- 
pear today on behalf of the Business Software Alliance which, together with ACP, 
has been in the forefront of efforts to persuade the U.S. Government to adopt a new 
U.S. encryption policy. We urge the Committee to pass the PROTECT Act with fur- 
ther amendments that would make the bill more fully comport with technological 
and market realities. 

This morning I would like to briefly make five points that we believe should un- 
derpin U.S. encryption policy. 

First, encryption is essential to all business in an Internet economy. While private 
sector interest in encryption export reform is generally characterized in terms of the 
competitiveness of American encryption products in a worldwide market, it is be- 
coming a much larger issue for all American business. The global economy, tied to- 
gether with the Internet, is turning businesses into virtual enterprises, localized 
products into global products, and geographically limited networks into worldwide 
networks. In this environment, American businesses must be able to sell and sup- 
port their products worldwide, must be able to securely coordinate with their busi- 
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ness partners worldwide, and must be able to conduct safe electronic commerce 
worldwide. 

Quite simply, cryptography has emerged as the only possible solution to many of 
the requirements of commercial security. It is the essential building block for build- 
ing trust onto the open Internet. Without it, the hundreds of billions of dollars of 
e-commerce currently projected to occur by the year 2002 will not happen. 

Second, encryption is vital to securing America’s critical infrastructures. Much of 
the national economy is at risk from the decisions that are made today on the issues 
of infrastructure protection. Increasingly, these critical systems are driven by, and 
linked together with, computers making them vulnerable to disruption. The single 
best way, and sometimes the only way to affect effectively these critical networks 
and systems, is encryption. That’s why the National Research Council found that 
encryption promotes the national security of the United States. However, the secu- 
rity of any network is only as good as its weakest link. America’s infrastructures 
cannot be protected if they are networked with foreign infrastructures using weak 
encryption. 

Third, the availability of encryption cannot be reasonably controlled. Cryptog- 
raphy is a branch of mathematics. Cryptographic technology can be reduced to 
mathematical formulas and protocols. Information about cryptography is available 
from many sources in many forms. It is the subject of numerous academic con- 
ferences. It is taught in universities worldwide. Moreover, while developing good al- 
gorithms is tough, implementing them is relatively easy. 

Fourth, government promoted or required plaintext access will not work. While 
required plaintext access offers, at first glance, a solution to the government’s prob- 
lem: (1) it is not technically possible in most circumstances; (2) it does not let law 
enforcement verify compliance with access requirements; and (3) it does not give na- 
tional security interests access to stored keys. There is simply no way that law en- 
forcement can determine, in advance, that particular text had not been encrypted 
with more than one program or product. At the same time, targets of national secu- 
rity interests are unlikely to design or use a plaintext infrastructure which would 
allow the U.S. government to have secret access to plaintext. 

Moreover, there is practically no commercial reason for storing communications 
keys — if the communication is disrupted or compromised a new session will be es- 
tablished. At the same time, the need for key recovery of stored data also is over- 
stated — the frequent example is an employee hit by a bus. With the exception of 
personal notes, information is not solely possessed by an individual. In addition, 
most mission-critical data is held by the corporate data management system that 
has its own control and protection mechanism. Finally, most personal data has a 
time value and rapidly becomes obsolete. 

If one factors in the additional costs and systemic vulnerabilities that result from 
building in access features, we conclude that there is no business or consumer need 
for key recovery or special plaintext access. To be blunt: Intel does not plan to im- 
plement a key recovery scheme for its own use. . 

Fifth, the government needs to find technological alternatives to meet its require- 
ments for access to information. Intel agrees that access to data communications 
and stored data by law enforcement intelligence communities is both legitimate and 
extremely important. Clearly, Congress should adequately fund the technical efforts 
of these agencies so they can meet the challenges of the next century. Industry sup- 
ports additional funding. Industry can also provide other assistance. 

For example, ACP proposed last year the creation of a “NET center” to help law 
enforcement officials understand how to deal with encryption and other techno- 
logical advances. ACP also has advocated that the U.S. government should work co- 
operatively with our nation’s hardware and software manufacturers to develop the 
technical tools and know-how that they need. Technical innovation is predominantly 
centered in the private sector — only a government/industry cooperative effort can 
address effectively the challenge of continued technological change. 

In conclusion, let me say that we strongly believe the Protect Act should be 
passed but with further improvements. 

The Protect Act does begin to realize the realities of mass market products, elimi- 
nates reporting requirements for such products, and grants export control relief to 
products at all horizontal layers in the information technology sector. But the Act 
still does not grant widespread exportability for mass market and publicly available 
encryption products. There is a complicated, bureaucratic process which must be 
pursued. Not until 2002 will American industry be able to widely export products 
using the 128-bit Advanced Encryption Standard or its equivalent. 

We believe it is in our national interest to permit such exportability now and urge 
the Committee to amend the bill accordingly. 

Once again, many thanks for this opportunity to testify. 
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INTRODUCTION 

My name is David Aucsmith, and as Chief Security Architect for the Intel Cor- 
poration I am responsible for research, development and deployment of data and 
communications security technologies and products, both hardware and software. 
Currently, my work is focusing on developing industry standard architectures for 
the application and interoperability of data security technologies for communica- 
tions, electronic commerce, and content protection. I previously worked on security 
matters for two computer companies and as a Lieutenant Commander in Naval In- 
telligence. 

Intel is the world’s largest semiconductor manufacturer and a major supplier of 
information technology building blocks to the global computer and communications 
industries. We provide our customers with chips, printed circuit board assemblies 
and software that are the “ingredients” of PC’s, servers and workstations. Our flag- 
ship business involves the mass production and sale of the Pentium® family of proc- 
essors and other microprocessors, which are frequently described as the “brains” of 
a computer because they control the central processing of data in computers. In 
1998, our sales exceeded $26 billion, and we employed more than 40,000 people in 
the United States. 

Like most information technology companies, Intel’s business model is global in 
scope. The bulk of our production takes place in the United States. Our products 
are sold worldwide to original equipment manufacturers of computer systems and 
peripherals, PC users who make purchases through various distribution channels 
including the Internet, and other manufacturers who produce a wide range of indus- 
trial and telecommunications equipment. Information security plays a prominent 
role in the conduct of our business. 

Intel is headquartered in Santa Clara, California, and we have significant manu- 
facturing facilities in a number of states, including Arizona, New Mexico, Oregon, 
California and Massachusetts. 

Intel Corporation is a member of the Business Software Alliance (“BSA”) and 
Americans for Computer Privacy (“ACP”). Both associations have been in the fore- 
front of efforts to persuade the government to adopt a new encryption policy. 

Since 1988, BSA has been the voice of the world’s leading software developers be- 
fore governments and with consumers in the international marketplace. BSA pro- 
motes the continued growth of the software industry through its international public 
policy, education and enforcement program in 65 countries throughout North Amer- 
ica, Europe, Asia and Latin America. Its members represent the fastest growing in- 
dustry in the world. BSA worldwide members include Adobe, Attachmate, Autodesk, 
Bentley Systems, Corel Corporation, Lotus Development, Macromedia, Microsoft, 
Network Associates, Novell, Symantec and Visio. Additional members of BSA’s Pol- 
icy Council include Apple Computer, Compaq, Intuit, Sybase and my company Intel. 
BSA websites: www.bsa.org; www.nopiracy.com. 

Intel Corporation takes, as a given, that access to data communications and 
stored data by the intelligence and law enforcement communities is both legitimate 
and extremely important. But, we also recognize that there is an inevitable tide of 
advancing technology that renders most conventional intercept methodologies obso- 
lete. We also believe that all American businesses need access to strong cryptog- 
raphy to remain competitive in an ever increasing global economy. 

We believe that these varied objectives can be met if only government does not 
seek to force solutions on industry that are incompatible with the development of 
technology and market demands. It is our view that, given the breathtaking pace 
at which information technology (including cryptography) is developing around the 
globe, the only way to achieve these goals is to adopt policies that will ensure Amer- 
ican industry leadership in the area of information technology. 

This morning I would like to discuss five points that we believe should underpin 
U.S. encryption policy: 

1. Encryption is essential to conducting all business in an Internet economy; 

2. Encryption is vital to securing America’s critical infrastructures; 

3. The availability of encryption cannot be reasonably controlled; 

4. Government promoted or required plaintext access will not work; and 

5. The government needs to find technological alternatives to meet its require- 
ments for access to information. 

ENCRYPTION IS ESSENTIAL TO CONDUCTING ALL BUSINESS IN AN INTERNET ECONOMY 

While the private sector interest in encryption export reform is generally charac- 
terized in terms of the competitiveness of American encryption products in world 
markets, it is, in reality, a much larger issue for American businesses. In an Inter- 
net economy, all American businesses are affected by encryption export constraints. 
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The future of business is fundamentally changing. The Internet presents two dis- 
tinctly different business opportunities. 

• Moving existing business to the Internet. Taking our existing paper-based com- 
merce models and moving them to the electronic world. 

• Creating new businesses because of the Internet. The Internet provides a ubiq- 
uity, connectivity and speed that has never existed before. There are many hereto 
unimagined businesses that will arise to capitalize on these capabilities. 

The global economy, tied together with the Internet, is turning businesses into 
virtual enterprises, localized products into global products, and geographically lim- 
ited networks into worldwide networks. Taking place on a massive scale, this phe- 
nomenon rests on the following business principles: 

• American businesses must be able to sell and support their products worldwide. 

• American businesses must be able to securely communicate and coordinate with 
their foreign subsidiaries and business partners worldwide. 

• American businesses must be able to conduct safe electronic commerce world- 
wide. 

I will address each of these three principles in more detail. However, it should 
be obvious that they all depend on secure communications and financial infrastruc- 
tures. Cryptography is an essential component of the security of these critical infra- 
structures, regardless of the nature of the company involved. 

It is easy to underestimate the magnitude of the information technology industry 
in the U.S. and the importance of Internet driven electronic commerce. The Depart- 
ment of Commerce reported that: 

Without information technology — and the electronic commerce it fosters — overall 
inflation would have hit 3.1% last year, more than a full percentage point higher 
than the 2% it was . . . ^ 

By the year 2002, Internet commerce is expected to be $327 billion ^ annually. By 
the year 2001, the U.S. information technology industry will be directly responsible 
for 5% of the GNP.^ 

American businesses must be able to sell their products worldwide 

Much has been said about the need for American businesses to be able to sell 
their encryption products worldwide as will be discussed later in this testimony. 
What is not obyious is that encryption controls may make it difficult to sell non- 
encryption products on the world market as well. For example, a telecommuni- 
cations application may need to haye an integrated cryptographic component to 
meet an international standard. 

American businesses must be able to securely communicate and coordinate with their 
foreign subsidiaries and business partners worldwide 

Business practices demand tight coordination with both a companies oyerseas 
subsidiaries, their suppliers and their customers. It is essential that confidentiality 
and access control to business information be maintained. Frequently companies are 
suppliers or customers on one product and competitors on another. The tightly inte- 
grated networks required for coordination could rapidly become a source of competi- 
tiye intelligence if not adequately protected. Only strong cryptography can offer the 
leyel of protection required. 

American businesses must be able to conduct safe electronic commerce worldwide 

In the near future, there will now longer be dedicated Internet companies — vir- 
tually every company will have to be an Internet company to survive. This requires 
that companies have the capability to securely sell products over the Internet to 
markets around the world. The ability to prevent fraud and protect intellectual 
property will depend heavily on the use of strong cryptography. 

Importantly, corporate participation in electronic commerce includes both busi- 
ness-to-business and business-to-consumer transactions. 

There is a need for commercial security 

There has always been some level of need for data security in commercial environ- 
ments. However, the Internet has enabled the connected PC and, with it, created 
both new business opportunities and new security vulnerabilities. 

Both the value and volume of on-line information has sharply risen. This informa- 
tion includes organizational information such as financial data, manufacturing in- 
formation, customer information, medical and legal records, and human resources 
data. Additionally, there is a growing amount of data which has intrinsic value, 
such as monetary instruments (e.g., credit cards, coupons, etc.) and intellectual 
property (e.g., movies, images, etc.). 
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In the past, such data was protected by physical and procedural controls. The con- 
nected PC largely negates those conventional controls and requires new security 
mechanisms, thus creating a need for commercial security technology. 

After many years of false starts, commercial data security has become a viable 
business. The Internet has provided the driving force for this change. Physical bar- 
riers have all but disappeared, and security perimeters have become vague. 

The Internet has created needs for security that were not present in isolated secu- 
rity domains. This has, in turn, created opportunities for vendors of security tech- 
nologies and has also created a need for standards so those technologies can inter- 
operate. 

Cryptography is the only viable solution to most commercial security requirements 

Cryptography has emerged as the only possible solution to many of the require- 
ments of commercial security. It is the essential building block for projecting trust 
onto the open Internet. 

The modern global commercial information infrastructure is characterized by 
more than 95 million Internet-connected computers, most of which are in open en- 
vironments with little or no physical control. They use a wide variety of hardware 
and software and implement no common security policy. 

Only cryptographic technologies are capable of projecting security onto a com- 
pletely open, arbitrary environment. Cryptography, by itself, does not guarantee any 
level of security. It is a necessary component but not a sufficient component. 

Privacy, also known as confidentiality, is the characteristic that information is 
protected from being viewed in transit during communications and/or when stored 
in an information system. With cryptographically-provided confidentiality, encrypted 
information can fall into the hands of someone not authorized to view it without 
being compromised. It is almost entirely the confidentiality aspect of cryptography 
that has posed public policy dilemmas. 

The commercial use of privacy (or confidentiality) encompasses not only the tradi- 
tional view described above, but also the protection of intellectual property such as 
digital video and digital audio. The same technology used to keep communications 
private are required to ensure that a digital movie is not illegally copied. 

ENCRYPTION IS VITAL TO SECURING AMERICA’S CRITICAL INFRASTRUCTURES 

Governments also are recognizing that without encryption, the electronic net- 
works that control such critical functions as airline flights, health care functions, 
electrical power and financial markets remain highly vulnerable. The U.S. General 
Accounting Office in its report issued in May of 1996 entitled “Information Security: 
Computer Attacks at Department of Defense Pose Increasing Risks” found that com- 
puter attacks are an increasing threat, particularly through connections on the 
Internet, such attacks are costly and damaging, and such attacks on Defense and 
other U.S. computer systems pose a serious threat to national security. 

There is an awareness within the government of the vulnerability of the national 
information infrastructure to potential attack. The Marsh Report® highlighted the 
vulnerabilities very well. Much of the national economy is at risk from the decisions 
that are made today on the issues of infrastructure protection. Any action that de- 
grades the security of Internet commerce or the viability of the industries involved 
must be viewed as a serious risk to the national security. 

As the President said on January 22, 1999, before the National Academy of 
Sciences, “[w]e must be ready — ready if our adversaries try to use computers to dis- 
able-power grids, banking, communications and transportation networks, police, fire 
and health services — or military assets. More and more, these critical systems are 
driven by, and linked together with, computers, making them more vulnerable to 
disruption.” 

The President has been so concerned that he established a Commission on Critical 
Infrastructure Protection to provide him with guidance and issued two Presidential 
Directives based on the Commission’s recommendations. 

In the Report of the President’s Commission on Critical Infrastructure Protection 
entitled Critical Foundations: Protecting America’s Infrastructures (October 1997), 
the Commission emphasized that “Strong encryption is an essential element for the 
security of the information on which critical infrastructures depend.” In fact 
“[pjrotection of the information our critical infrastructures are increasingly depend- 
ent upon is in the national interest and essential to their evolution and full use. 
A secure infrastructure requires the following: 

• Secure and reliable telecommunications networks. 

• Effective means for protecting the information systems attached to those net- 
works .... 

• Effective means of protecting data against unauthorized use or disclosure. 
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• Well-trained users who understand how to protect their systems and data.” 

An earlier blue ribbon National Research Council (NRC) Committee similarly con- 
cluded in its (May 1996) CRISIS Report (“Cryptography’s Role in Securing the Infor- 
mation Society”) that encryption promotes the national security of the United States 
by protecting “nationally critical information systems and networks against unau- 
thorized penetration.” 

Thus, the NRC Committee found that on balance the advantages of widespread 
encryption use outweighed the disadvantages and that the U.S. Government has “an 
important stake in assuring that its important and sensitive . . . information . . . 
is protected from foreign government or other parties whose interests are hostile to 
those of the United States.” 

In recognition of the risks and threats to information, on January 15, 1999, the 
National Institute of Standards and Technology (NIST) established a new draft Fed- 
eral Information Processing Standard (FIPS 46-3) to require the use of stronger 
encryption in government systems. NIST stated that it “can no longer support the 
use of the DES for many applications” and that all new systems must use the sig- 
nificantly stronger Triple DES “to protect sensitive, unclassified data”. Under the 
FIPS, all existing systems are now expected to develop a strategy to transition to 
Triple DES, with critical systems receiving a priority. 

The vulnerability of national infrastructures has not been lost on other govern- 
ments. Within the European Union, there is discussion on how to encourage compa- 
nies to develop products to protect national infrastructures in their respective coun- 
tries. Such mutual government encouragement will help to grow technical capabili- 
ties and fuel a viable world market. 

Already the Swiss government is providing 128-bit encryption plug-ins for 
download off the Internet. The SecureNet system is required for use in accessing 
Telegiro, an Internet payment system. The plug-ins support SSL connections using 
IDEA encryption. Several Swiss banks are now using on-line banking systems com- 
patible with the Telegiro cryptosystem.® 

Information security is critical to the integrity, stability and health of individuals, 
corporations and governments. While cryptography is but one element of security, 
it is the keystone of secure, distributed systems. Erankly, there is no substitute for 
good, widespread, strong cryptography when attempting to prevent crime and sabo- 
tage through these networks. The security of any network, however, is only as good 
as its weakest link. America’s infrastructures cannot be protected if they are 
networked with foreign infrastructures using weak encryption. 

In the long-term, we believe it is in America’s best interest to protect critical in- 
frastructures and national security by relying on strong American encryption prod- 
ucts. This will not happen if the U.S. Government limits the ability of U.S. compa- 
nies to provide strong encryption to consumers. Indeed, the question is not whether 
critical infrastructures will be protected. Rather it is a question of who will protect 
them — U.S. or foreign companies. With individuals increasingly relying on critical 
infrastructures and governments increasingly desiring to safeguard these infrastruc- 
tures, it is only a matter of time before strong encryption becomes a commodity fea- 
ture of global networks and information systems. 

U.S. encryption export controls hurt our national security 

Our current export policy puts at risk America’s global leadership in information 
security. U.S. export policy should, therefore, be changed so it no longer limits 
American participation in efforts to secure global e-commerce and related informa- 
tion infrastructures and no longer cedes the world market for encryption products 
to foreign competitors. Strong, high-quality encryption products already are widely 
available from foreign makers. Foreign producers of IT systems are finding that 
their ability to provide end-to-end systems incorporating stronger encryption than 
U.S. companies are permitted to export gives them a decided market advantage. We 
are concerned that as a result America will lose the critical encryption market to 
foreign companies. If that happens, it will be too late to change U.S. policy and too 
late to preserve U.S. leadership in this vital arena. 

What will the loss of that U.S. leadership position mean? It will mean that the 
national security agencies will be confronting ubiquitous encryption made not by 
U.S. companies, but by foreign companies. Where then will the national security 
agencies go for technical help on encryption? It also will mean that the protection 
of our critical national infrastructure may depend on foreign-made systems incor- 
porating foreign-made encryption — and that’s unacceptable. 

America must retain leadership in this vital technology if we are to meet our long- 
term national security objectives. That is why we must assess our encryption export 
policies from a long-term, not a short-term, perspective. 
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In the long run, U.S. national security objectives are best served by an IT world 
in which U.S. companies are market leaders in all aspects, especially encryption. 
U.S. export controls have had the effect of creating an encryption expertise outside 
the United States that is gathering momentum. Unfortunately, every time research 
and development of an encryption technique or product moves off-shore, U.S. law 
enforcement and national security agencies lose. We believe that continuing down 
this path will be ultimately more harmful to our national security and law enforce- 
ment efforts as American companies will no longer be the world leaders in creating 
and developing encryption products. 

In fact, as long ago as 1996, the NRC Committee concluded that as demand for 
products with encryption capabilities grows worldwide, foreign competition could 
emerge at levels significant enough to damage the present U.S. world leadership in 
information technology products. The Committee felt it was important to ensure the 
continued economic growth and leadership of key U.S. industries and businesses in 
an increasingly global economy, including American computer, software and commu- 
nications companies. Correspondingly, the Committee called for immediate and easy 
exportability of products meeting general commercial requirements — which is cur- 
rently 128-bit level encryption! 

We recognize this is a difficult balance to strike, but we strongly believe that our 
long term national security objectives can only be achieved if the United States real- 
istically acknowledges the inevitability of a world of ubiquitous, strong encryption. 
Trying to control the proliferation of encryption is like trying to control the pro- 
liferation of mathematics. For that is what we are talking about here. Encryption 
algorithms are nothing but sophisticated mathematics. And while the United States 
may realistically hope to remain the leader in such a field, it cannot realistically 
expect to monopolize it. 

We are joined in this view by the Center for Strategic and International Studies 
(“CSIS”). CSIS recently conducted a study of our nation’s technical vulnerabilities; 
the study was chaired by William Webster, the former director of the FBI and Cen- 
tral Intelligence and former U.S. Circuit Judge. The subsequent report, entitled 
Cybercrime . . . Cyberterrorism . . . Cyberwarfare . . . Averting an Electronic Wa- 
terloo, calls for the “intelligence gathering communities — law enforcement and for- 
eign intelligence — to examine the implications of the emerging environment and 
alter their traditional sources and means to address the SIW (strategic information 
warfare) needs of the twenty-first century. Continued reliance on limited availability 
of strong encryption without the development of alternative sources and means will 
seriously harm law enforcement and national security.” 

THE AVAILABILITY OF ENCRYPTION CANNOT BE REASONABLY CONTROLLED. 

Cryptography is a specialized branch of mathematics. Cryptographic technology 
can be reduced to mathematical formulas and protocols. Information about cryptog- 
raphy is available from many sources and in many forms. Implementation of cryp- 
tography is no more difficult than the implementation of any complicated mathe- 
matical technology such as digital video or digital signal processing. 

Ease of implementation 

Creation of good cryptographic algorithms that will withstand the test of time is 
amazingly difficult. Recent history is littered with failed attempts. Even so, many 
algorithms have survived and have become part of common usage. Inventing good 
cryptography is the mathematical equivalent of “rocket science.” Implementing 
those algorithms is comparably “child’s play.” 

Information security is such an important part of information technology that it 
is rare for a graduate level computer science student to graduate without having 
implemented a cryptographic algorithm or protocol. Many of these students become 
competent systems-level programmers who could easily fashion a production-quality 
cryptographic application. Many of these students are non-U.S. residents. 

Open research 

Cryptography and cryptanalysis are legitimate academic research topics. There is 
a growing, worldwide academic community specializing in the subject. Last year 
alone there were over 30 international conferences focusing on cryptography or re- 
lated topics and over 100 books and journals. Many of these books include detailed 
specifications and source code of cryptography algorithms and protocols.^ As an ex- 
ample, Bruce Schneier’s popular cryptography text. Applied Cryptography, has sold 
over 100,000 copies world wide.® 
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Intangible software 

The intangible nature of cryptographic software defies any physical controls. In 
an instant, software, cryptographic or otherwise, can be shipped virtually anywhere 
in the world. As an example, within hours of the U.S. release of PGP 5.0, it was 
available from sites in Western Europe.® 

Cryptography exists in many uncontrollable forms, such as general knowledge, 
academic research, and network deliverable software. 

Availability of strong eneryption products abroad 

Having export controls assumes that they are at least marginally effective. Cryp- 
tography is basically mathematics. The knowledge is inherently uncontrollable. This 
has led to the worldwide availability of strong encryption products and technologies. 

One of the ironies of the U.S. cryptographic export regime is that it has fostered 
a growth in non-U.S. cryptographic technology providers who can sell strong cryp- 
tography worldwide without the constraints imposed by the U.S. government, while 
U.S. companies can not make the same claim. 

The belief that U.S. export regulations enable foreign cryptography businesses is 
held by the European Commission. The EC stated at the Copenhagen Hearing: 

The current U.S. export regulations can provide a chance for European companies 
to enter the market for cryptographic products. Nevertheless this would require a con- 
centrated effort of European industry and governments to prepare the basis for this 
market. 

Some European companies and governments have turned this belief into practice. 
The following is quoted from a Siemens Nixdorf ad regarding a software product of 
theirs called TrustedWeb: 

By simply downloading the TrustedWeb software from the Internet, you can create 
a highly secure Intranet infrastructure in a matter of days. The organization itself 
can decide on the level of security and adapt it in stages in line with needs — Ranging 
from simple password protection to authentication using cryptographic procedures 
(Public Key ! Private Key) with full 128-bit key length. TrustedWeb is an independent 
European product and hence is not subject to the export restriction imposed by the 
US government in relation to encryption software. 

Siemens Nixdorf runs similar ads covering their hardware products. Security 
products are available worldwide, in spite of, or perhaps because of, strong U.S. ex- 
port controls. 

Wide deployment of strong encryption is inevitable 

There are huge commercial incentives for the spread of cryptography. There is a 
legitimate need for the technology and a sharp increase in the amount of money 
being spent on security technology. This has created a viable market for the tech- 
nolo^, and there are many suppliers worldwide willing and able to meet the mar- 
ket demand. 

The recognition of the importance of security to data communications has lead to 
the inclusion of security protocols within international standards. Examples of such 
standards include the Secure Sockets Layer (SSL) and the Internet Packet Security 
(IPSEC) protocols. 

In most cases, the implementation of security components in international stand- 
ards is optional. However, there is a strong trend to make many of these features 
mandatory. Thus, compliance with international communications standards will pro- 
mote the diffusion of security technologies. 

GOVERNMENT PROMOTED OR REQUIRED PLAINTEXT ACCESS WILL NOT WORK 

As the spread of strong cryptography threatens traditional intelligence methods, 
the government has used export control relief as an incentive for companies to build 
plaintext access capability into every product. There have also been attempts in 
Congress to mandate plaintext access capability in such products. The overall ap- 
proach has revolved largely, though not exclusively, around key recovery require- 
ments. This section primarily addresses specific concerns about key recovery issues, 
but it is applicable to all plaintext access solutions that may be promoted or man- 
dated by the U.S. Government (hereinafter referred to as “required plaintext ac- 
cess”). The basic point is that non-market driven requirements to build any 
plaintext access mechanism into products will not work. 

Key recovery, as a concept, now applies not only to the initial purpose of assuring 
law enforcement access to encrypted materials, but also to possible end-user or orga- 
nizational requirements for a mechanism to protect against lost, corrupted, or un- 
available keys. It can also mean that some process, such as authority to decrypt a 
header containing a session key, is escrowed with a trusted party, or it can mean 
that a corporation or individual is ready to cooperate with law enforcement to access 
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encrypted materials. It may also mean that some technical mechanism must be put 
in place to bypass the use of the key entirely (strict “plaintext access”). 

While required plaintext access offers, at first glance, the promises of solving the 
technical problems of plaintext access, it is not technically possible for it to do so 
in most circumstances. It is unlikely to actually meet plaintext access requirements, 
and its deployment as a national strategy is fraught with technical challenges and 
dangers. 

Required plaintext access systems will not satisfy government access requirements 

Required plaintext access does not meet either law enforcement or national secu- 
rity requirements, but for slightly different reasons. Law enforcement can not verify 
compliance with key recovery requirements, and national security interests are un- 
likely to have access to stored keys. 

Compliance can not be verified by law enforcement 

Required plaintext access has a serious technical flaw in the area of a priori 
verification of compliance. Encryption, if applied, is likely to be applied at several 
different levels of the communications infrastructure. An example is having link- 
level encryption applied by IPSEC, having session-level encryption applied by SSL, 
and having application-level encryption applied by S/MIME. 

Assuming one could construct a protocol to allow for the monitoring of IPSEC key 
recovery compliance, there is no physical way to verify that the other two levels 
have complied with the required plaintext access requirements unless one actually 
decrypts the IPSEC-data packet. If it requires probable cause to get a court order 
to obtain the IPSEC recovered key or mechanism, it would only be after law enforce- 
ment has probable cause of criminal activity that they would be able to verify 
whether or not the upper-level protocols have complied with the required plaintext 
access requirements. 

Required plaintext access does not address national security requirements 

While law enforcement may serve a warrant on a key recovery agent or other ac- 
cess mechanism provider to obtain encryption keys or the plaintext, national secu- 
rity interests are likely to have that opportunity. Required plaintext access does not 
provide any benefit to lawful access unless one is able to actually recover the 
plaintext. Targets of national security interests are unlikely to design a plaintext 
access infrastructure which would allow the U.S. government to have surreptitious 
access to stored keys or stored plaintext. This view has been born out by National 
Security Agency testimony before Congress. 

Required plaintext access systems are of limited commercial value 

Product announcements of key recovery companies to the contrary, there is not 
a compelling market for commercial key recovery systems and no market for other 
plaintext access systems. There is no general reason to recover communications 
keys, and the use of key recovery for stored data ignores the fundamental properties 
of information. 

A market for key recovery technology will emerge only when it is artificially cre- 
ated by government regulations. Prior to the current law enforcement push for key 
recovery, there were no widespread deployments of key recovery mechanisms even 
though the basic technology had been in existence for some time. 

Not required for data communications 

While key recovery may, debatably, be important in certain stored data systems, 
in communications cryptography there is little or no user demand for this feature. 
In particular, there is hardly ever a reason for an encryption user to want to recover 
the key used to protect a communication session such as a telephone call, FAX 
transmission, or Internet link. If such a key is lost, corrupted, or otherwise becomes 
unavailable, the problem can be detected immediately and a new key negotiated. 
There is also no reason to trust another party with such a key. 

Ignores the nature of stored data 

Many of the proposed needs for key recovery of stored data operate under a false 
assumption about how data is actually stored and utilized. The frequent example 
is the assertion that a company will need to recover the encrypted files of an em- 
ployee who has been hit by a bus. 

There are three problems with this assertion. First, with the exception of personal 
notes, information is not solely possessed by an individual. Information is shared 
among a team of employees or partners in order to be of any benefit. Second, most 
mission-critical data is held by corporate data management systems (e.g., data 
bases) that have their own access control and protection mechanisms, which are ad- 
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ministered by the corporation. Third, most personal data has a time value and rap- 
idly becomes obsolete. 

Given the observations above, we conclude that there is no business or consumer 
need for key recovery. Indeed, taking into account the observations and risks, Intel 
does not plan to implement a key recovery scheme. 

Key recovery introduces additional vulnerabilities 

Centralizing all of a user’s secrets or access controls in a system with increased 
technological and procedural operational complexities can only increase the security 
vulnerabilities of the operation. 

Centralized attack point 

Regardless of the implementation, if key recovery systems must provide timely 
law enforcement access to a whole key or to plaintext, they present a new and fast 
path to the recovery of data that never existed before. 

The key recovery access path is completely out of the control of the user. In fact, 
this path to lawful access is specifically designed to be concealed from the 
encryption user, removing one of the fundamental safeguards against the mistaken 
or fraudulent release of keys. 

In contrast, non-recoverable systems can usually be designed securely without any 
alternative paths. Alternative paths to access are neither required for ordinary oper- 
ation nor desirable in many applications for many users. 

Complexity of implementation 

Key recovery systems must be, in terms of functionally, a secure, distributed, open 
key management system. They have many of the properties of both large scale dis- 
tributed databases and of command and control systems. Both types of systems have 
significant inherent complexity. As we have no practical experience, key recovery 
mechanisms represent a system of unknown and potentially daunting complexity, 
Commercial organizations would have to add the cost and risk of key recovery sys- 
tems to their bottom line. Even government agencies participating in key recovery 
pilot programs have found the cost of centralized key recovery unacceptable. 

Key recovery mechanisms do not work in the horizontal information industry 

The information technology industry is characterized by an open, international, 
horizontal architecture. Microprocessors are sold to OEMs who build motherboards, 
who then contract to have BlOSs and operating systems installed. The final product 
is then sold to an end user who adds whatever applications they wish. New capabili- 
ties or requirements must have an active acceptance within each of the layers in 
order to be widely deployed. Key recovery discussion has focused only on the upper, 
application layer. 

Low-level layers have no visibility into higher-level layers 
The nature of the information technology industry is that it is made-up of distinct 
horizontal architectural layers, from the microprocessor up through application pro- 
grams. The components in each of these layers are supplied by different companies, 
having different economic models and different diffusion channels. 

For valid security reasons, cryptography is migrating further “down” the layers 
toward the basic hardware. Key recovery, on the other hand, is a user-initiated pro- 
tocol problem and can not be pushed down to the hardware. In short, cryptography 
implemented on hardware can not determine how it will ultimately be used. 

Key recovery is under the end user’s control and is performed by communications 
protocols or applications programs. The original microprocessor could have no 
knowledge of how its cryptography would be used any more than it could know how 
its multiplication instructions will be used. 

Key recovery regulation is envisioned from the perspective of the end user. The 
end user “sees” a vertical single product, but the reality is that the PC is actually 
a collection of products from many different companies. 

Horizontal interfaces are international standards 
Within the horizontal architecture of the computer industry, the interfaces be- 
tween horizontal layers are defined by established international industry standards. 
None of these interface standards currently support key recovery of keys stored in 
mass market hardware. To change these standards would be a slow and difficult 
process. 

Key recovery does not work in an international setting 

The information technology industry is based on international standards. No U.S.- 
only solution is commercially feasible. Most U.S. information technology companies 
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derive a large share of their revenue from non-U.S. sources. To restrict their prod- 
ucts to only U.S. markets would be devastating. 

Not all countries will adopt key recovery 

Very few countries have embraced key recovery to the extent that the U.S. gov- 
ernment has done. In particular, countries with strong privacy laws have generally 
regarded key recovery schemes as being in violation of those laws. As an example, 
Lotus Notes, which includes a key recovery feature, specifically lost a major sale to 
the Government of Sweden when the Swedish press discovered the key recovery fea- 
ture, 

The European Commission has not endorsed key recovery as a solution to lawful 
access problems. It is therefore unlikely that a European-wide agreement can be 
reached. Indeed, the European Committee on Banking Standards (ECBS) — a power- 
ful consortium of financial institutions — has filed a submission with the European 
Commission arguing against key recovery, 

Requires modification to existing standards 

Data communications and architectural standards are internationally-negotiated 
standards. None of these standards include data recovery provisions. Products must 
be built to conform to these standards to become mass market products. Many of 
these standards are not controlled by any government, rather they are controlled 
by commercial or user communities (such as the IETF). 

Negotiating provisions for key recovery into these standards will require inter- 
national — agreement on the form and procedures of key recovery technology. Given 
the current international climate, it is unlikely that such negotiations would suc- 
ceed. 

Interoperability will require a non-recovery mode 

If there is even one major country which prohibits key recovery, then all devel- 
oped systems will have to have a “non-key recovery” mode to facilitate interoper- 
ability. There is little that one could do to ensure that the “non-key recovery” mode 
was not used in normal communications. 

Mutual access to keys opens U.S. companies to industrial espionage 

There is no way to guarantee that other countries will have the same level of con- 
stitutional safeguards on access to their key recovery agents as guaranteed in the 
U.S. U.S. corporations would be at high risk of international economic espionage if 
forced to deposit encryption keys with foreign key recovery agents. 

According to the FBI, U.S. corporations are already targets of major industrial es- 
pionage efforts. The FBI says foreign spies have stepped up their attacks on Amer- 
ican companies, and a new national survey estimates that intellectual property 
losses from foreign and domestic espionage may have exceeded $300 billion in 1997 
alone.2® 

Governments of at least 23 countries, ranging from Germany to China, are tar- 
geting American companies, according to the FBI. More than 1,100 documented inci- 
dents of economic espionage and an additional 550 suspected incidents that could 
not be fully documented were reported last year by companies in a survey conducted 
by the American Society for Industrial Security.^i 

THE GOVERNMENT NEEDS TO FIND TECHNOLOGICAL ALTERNATIVES TO MEET ITS 
REQUIREMENTS FOR ACCESS TO INFORMATION 

Given the global availability of strong, non-recoverable encryption and the fast 
pace of technological advancement, it is clear that current U.S. policy is not work- 
ing. An alternative means to gather lawful intelligence is needed by both national 
security and law enforcement interests. 

Clearly, Congress should adequately fund the technical efforts of our law enforce- 
ment and national security agencies so they can meet these challenges. And indus- 
try would support additional funding. 

For example, ACP, for example, has advocated that the U.S. Government should 
work cooperatively with our nation’s hardware and software manufacturers to de- 
velop the technical tools and know-how to achieve a policy that effectively responds 
to society’s needs for law enforcement, national security, critical infrastructure pro- 
tection, privacy preservation, and economic well-being. 

NET center proposal 

Last year, ACP proposed the creation of a National Center for Secure Network 
Communications (“NET Center”). The NET Center (now called “Tech Center”) con- 
cept is 15 aimed at helping law enforcement officials to understand how to deal with 
encryption and other technical advances when encountered in a criminal setting. 
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The Tech Center should be a public-private entity operating within a national lab- 
oratory for information technology to perform research and act as a forum for fur- 
ther discussions on technology trends and vulnerabilities. Clearly a Tech Center 
must operate within a legal framework that provides reasonable safeguards. 

Attorney General Janet Reno announced plans for the Federal Bureau of Inves- 
tigation to set up a new $64 million center to protect the nation’s critical infrastruc- 
tures, particularly computer networks, from both physical and cyber attack. 

Industry cooperation 

The national security is best secured by the American companies actively com- 
peting for and suppl 3 dng the fundamental technologies of the national infrastruc- 
ture. Only those companies directly involved in the research and development of in- 
formation technology components can assess the security and vulnerabilities of the 
infrastructures created from those components. Technical innovation is predomi- 
nantly centered in the private sector. Only a government/industry cooperation can 
effectively address the challenge of continued technological change. 

conclusion: the protect act should be passed with further improvements 
The mass market model 

Mass-market hardware manufacturers and software publishers sell products 
through multiple distribution channels such as OEMs (i.e., hardware manufacturers 
that pre-load software onto computers), value-added resellers, retail stores and the 
emerging channel of on-line distribution. Thus, mass market products are available 
to the general public from a variety of sources. 

The mass-market distribution model presupposes that hardware manufacturers 
and software publishers will take full advantage of these multiple channels to ship 
identical or substantially similar products worldwide (allowing only for differences 
resulting from localization) irrespective of specific customer location or characteris- 
tics. As mass market products are uncontrollable, Intel believes U.S. companies 
should be able to export the current market standard of 128-bit encryption. Unfortu- 
nately, the Administration only permits easy exports of 56-bit encryption even if for- 
eign products exist in the marketplace’. And the Administration continues to impose 
onerous controls on 56-bit toolkits and hardware encryption components, notably 
semiconductors. 

The PROTECT Act grants export control relief to products at all horizontal levels 

Intel believes that all distinct horizontal architectural layers, from the micro- 
processor up through application programs should be treated identically under any 
encryption export policy. However, contrary to the Administration’s original an- 
nouncement regarding export relief which included export relief for hardware, the 
new regulations still do not permit 56-bit encryption chips, integrated circuits, tool- 
kits and executable or linkable modules to be easily exported except to subsidiaries 
of U.S. companies or otherwise relax export controls on stronger mass market hard- 
ware. We are pleased that the PROTECT Act remedies this problem and treats 
mass market hardware in the same manner as mass market software. 

The PROTECT Act eliminates reporting requirements for mass market products 

We are encouraged that the PROTECT Act recognizes the difficulties in complying 
with reporting requirements for mass market encryption products and eliminates 
such reporting requirements. It is virtually impossible for mass-market exporters to 
report the name and address of each end-user. Millions of these products are sold 
through multi-level distribution channels (e.g, VAR’s and chain stores). Moreover, 
as registration of mass market products is customarily voluntary. This is a vast im- 
provement over the Administration’s proposed regulations which effectively require 
companies to develop a system to obtain the names and addresses for each health 
and medical end-user of stronger encryption products and all foreign online mer- 
chants. 

The PROTECT Act’s export relief for mass market products and for products which 
face competition from comparable foreign produets is too eomplicated and creates 
an unwieldy bureaucraey 

We are pleased that the PROTECT Act does recognize that mass market and pub- 
licly available encryption products, and encryption products for which comparable 
foreign products are available, should be treated differently under the U.S. export 
regime. The bill acknowledges the futility of tr 3 dng to control a product that can be 
bought off of the Internet or easily purchased from commercial vendors such as 
CompUSA or from Circuit City by any individual in America regardless of nation- 
ality, or a comparable product can be easily purchased from similar stores in a for- 
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eign country. “Bad guys” certainly will have no problems obtaining the encryption 
products, and no concerns about “exporting” the products via telephone lines or the 
Internet or smuggled out on personally pressed CDs. The only impact of the export 
controls will be to stop American companies from selling American products to le- 
gitimate users. 

Unfortunately, the PROTECT Act establishes a complicated private/public board 
structure for deciding after-the-fact whether or not a product is a mass market prod- 
uct or whether comparable foreign products are available. The Secretary of Com- 
merce has thirty days to approve or disapprove the Board determination, subject to 
judicial review, and the President may override any determination. There is no 
guarantee of any consistency in the Board’s decisions. Thus, while the Board proce- 
dure is an improvement, and the opportunity for judicial review provides a mecha- 
nism to ensure that exports are not denied in an arbitrary and capricious manner, 
it is not a predictable, clear process giving American companies certainty as to 
whether they can export their products. Such predictability is necessary so that 
American companies can have confidence designing and building security features 
into their products. 

The PROTECT Act should, but does not, afford complete and immediate export 
relief for mass market encryption without any complicated oversight. The Act also 
does not recognize that if a comparable foreign product is available, any delay in 
exports provides a significant advantage to the foreign product. 

The PROTECT Act supports development of AES, but delays full export control relief 
until 2002 

The PROTECT Act also provides Congressional support for, and sets a 5-year 
limit on the selection of, the 128-bit Advanced Encryption Standard which is being 
developed under the auspices of the National Institute of Standards and Technology. 
The 2002 deadline will provide impetus for NIST to finish developing the standard 
in a timely manner while providing NIST with sufficient time to study the final 
standard’s security features. This is an important process that will result in a new 
standard for government’s sensitive, but unclassified, information and most likely 
will serve as the new worldwide standard for strong encryption similar to the Data 
Encryption Standard when it was introduced in the 1970’s. Once the algorithm is 
selected, the PROTECT Act removes all export controls on encryption products 
using the 128-bit standard or its equivalent strength. 

Unfortunately, because the PROTECT Act limits easy exportability of mass mar- 
ket products until the AES is adopted, general distribution of these products will 
have to wait almost three years. Considering the current speed of technological 
change, where Internet products are now on three-month product cycle times, and 
the fact that 128-bit comparable foreign encryption is currently available, this is an 
eternity in Internet time. Law enforcement and national security interests have 
known for a long time that ubiquitous use of strong encryption by consumers world- 
wide is just around the corner. They cannot hope to continue to delay the world 
from using strong encryption according to their timeframe. 

A new approach 

The preceding has made the argument that: 

• Encryption is essential to conducting all business in an Internet economy; 

• Encryption is vital to securing America’s critical infrastructures; 

• The availability of encryption cannot be reasonably controlled; 

• Government promoted or required plaintext access will not work; and 

• The government needs to find technological alternatives to meet its require- 
ments for access to information. 

If accepted, these arguments force one to the conclusion that a new approach to 
encryption policy is required. 
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Senator Frist. Thank you very much. 

Mr. Bidzos. 

STATEMENT OF D. JAMES BIDZOS, VICE CHAIR, SECURITY 
DYNAMICS TECHNOLOGIES, INC. 

Mr. Bidzos. Thank you, Mr. Chairman. Let me also thank you 
and the committee for the opportunity to he here and testify this 
morning. At the outset, I want to say that the PROTECT Act defi- 
nitely moves us in the right direction and is a real improvement 
over the current administration policy, hut, as I will explain in a 
few moments, the bill could be further improved in several impor- 
tant respects. 

I am pleased to be here this morning and testify on behalf of 
Americans for Computer Privacy. ACP is a coalition of over 4,000 
individuals, 40 trade associations, and over 100 companies rep- 
resenting financial services, manufacturing, high tech, transpor- 
tation industries, as well as law enforcement, civil liberty, tax- 
payer, and privacy groups. 

Currently I am vice chairman of Security Dynamics Tech- 
nologies, but during the last 13 years I served as president and 
chief executive officer of RSA Data Security. RSA Data Security is 
the leading American company producing encryption products. It 
was founded in 1982 and our encryption technology is embedded in 
virtually every mainstream product, from things such as Microsoft 
Windows to Netscape’s Navigator, also Microsoft’s browser Internet 
Explorer, Intuit’s Quicken, and Lotus Notes. It is very widespread. 
Most of it is 128 bits. 

I am also the founder and chairman of a company called 
Verisign, which is the leader in Internet authentication and certifi- 
cation, and I am a director of several other security companies, in- 
cluding two in Japan and two in Europe. I think this has given me 
unique insight into the global encryption issue. 

I have been deeply involved in the debate over encryption policy 
during this time and hope my experience can benefit the com- 
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mittee. I testified for the first time about 10 years ago before the 
House Committee on Science, Space, and Technology, and made 
many of the arguments that we are hearing here today. 

I used to joke that encryption, the type of encryption that my 
company developed, was a solution in search of a problem. I do not 
say that any more because the problem is obvious and we have dis- 
covered it. Quite simply, it is e-commerce. E-commerce, however, is 
not going to reach its full potential unless it becomes secure. That 
would be a tremendous disappointment since electronic commerce 
between businesses alone is expected to reach over $300 billion per 
year by the year 2002. At least 60 percent of all Americans will be 
using the Internet and the number of worldwide online users is ex- 
pected to reach 250 million by the year 2002. 

Without relaxation of export controls, U.S. manufacturers remain 
at a competitive disadvantage and foreign consumers will purchase 
encryption products from foreign suppliers. Just in reaction to a 
comment made on the other panel, I would welcome the oppor- 
tunity after my statement to go into more detail, but I think that 
the Administration underestimates the determination and the ca- 
pabilities of the companies that we compete with overseas. 

Foreign products are comparable in capabilities and quality, and 
do not let anyone tell you otherwise. When a foreign purchaser can- 
not obtain an American product, they simply purchase it from a 
foreign supplier. The Siemens example we heard about is a good 
one. There are numerous others. Indeed, foreign companies are 
even testifying against relaxation of U.S. export controls. 

Unfortunately, not only are American companies losing the sale 
of an encryption item, but they are also using a sale of the program 
or hardware, such as an Internet server or an application browser, 
that incorporates the encryption capability. In fact, companies risk 
losing sales of entire systems because of their inability to provide 
necessary security features. 

Over the last 13 years I have seen security move from literally 
out of nowhere to being No. 1, No. 2, or No. 3 on everybody’s list 
of absolutely critical essential features in products and systems 
that they intend to purchase. Companies that cannot offer that es- 
sential feature are cut out of the entire business opportunity. 

Thus, the only impact of the Administration’s export policy is 
widespread deployment of foreign-designed and manufactured soft- 
ware and hardware. 

But I think it is also essential to understand that full deploy- 
ment of strong encryption is vital to America’s national interest. 
AGP and its members are responsible citizens. We have no wish to 
facilitate the commission of crime or hurt national security. It is 
precisely because we hold these views that we believe it is in Amer- 
ica’s best interest to prevent crime and promote national security 
through widespread reliance on strong American encryption prod- 
ucts both here and abroad. 

We also believe that our law enforcement and intelligence agen- 
cies must be given the additional resources and technical help they 
need to meet the challenge of the next century. But those chal- 
lenges are far greater if these agencies are forced to face a world 
in which the majority of information and communications sys- 
tems — communications pass over systems and networks that are 
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foreign-designed, foreign-built, foreign-installed, and incorporate 
foreign encryption. That may well apply to systems here in the 
United States as well, based on the way things are going now. 

The PROTECT Act is an improvement over current administra- 
tion policy. It affirms that Americans may use and sell any type 
of encryption domestically and ensures that the U.S. Government 
may not use its full powers and capabilities to compel Americans 
to use or sell a certain type of encryption. The PROTECT Act also 
provides a broader range of export relief for American encryption 
products and it provides a certain timeframe for export reviews. 
Also, the Act provides congressional support for and sets a 5-year 
limit on the selection of the 128-bit Advanced Encryption Standard. 

But even a good thing can be made better. The PROTECT Act 
should be further improved to reflect market and technological re- 
alities. The PROTECT Act does not permit individual foreign con- 
sumers to obtain strong non-recoverable encryption, making it im- 
possible for them to securely purchase products from American 
companies. 

Also, the Act does not provide immediate export relief for 
encryption sales to small businesses, one of the fastest growing 
worldwide business sectors. Unfortunately, the PROTECT Act lim- 
its easy exportability of mass market products with strong 128-bit 
encryption until NIST adopts the Advanced Encryption Standard. 
Exportability in the mean time is dependent on an unwieldy com- 
plex bureaucracy that will determine whether American products 
are generally available or compete with comparable foreign prod- 
ucts. We believe the evidence is already overwhelming regarding 
these facts. 

I would be happy to answer any questions about the significance 
of this 3-year delay in terms of how our competitors will exploit it 
and how that translates into Internet years and what it means for 
future opportunities. 

In conclusion, Mr. Chairman, ACP strongly urges the committee 
to move forward with the PROTECT Act and to adopt amendments 
to permit the immediate exportability of strong encryption to a 
broader range of businesses and individuals abroad. 

Thank you. 

[The prepared statement of Mr. Bidzos follows:] 

Prepahed Statement of D. James Bidzos, Vice Chair, Security Dynamics 
Technologies, Inc. 

Congress must immediately releix export controls on software and hardware with 
encryption capabilities. Widespread deployment of American products with 
encryption capabilities will help to accelerate dramatically the growth of electronic 
commerce by protecting consumers’ privacy and preventing electronic crime. 

Without relaxation of export controls, U.S. manufacturers remain at a competitive 
disadvantage, and foreign consumers will purchase encryption products from foreign 
suppliers. Foreign products are comparable in capabilities and quality. When a for- 
eign purchaser cannot obtain an American product they simply purchase it from a 
foreign supplier. Unfortunately, not only are American companies losing a sale of 
an encryption item, but they are also losing the sale of the program or hardware 
such as an Internet server or an application browser that uses the encryption capa- 
bility. In fact, companies risk losing sales of entire systems because of their inability 
to provide necessary security features. The only impact of the Administration’s ex- 
port policy is widespread deployment of foreign designed and manufactured software 
and hardware. 
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The Administration took the first step towards developing a sensible long-term 
encryption policy by permitting exports of select products to select users, but they 
still have not gone far enough. 

The PROTECT Act is an improvement over current Administration policy. It af- 
firms that Americans may use and sell any type of encryption domestically, and en- 
sures that the U.S. Government may not use its full powers and capabilities to com- 
pel Americans to use or sell a certain type of encryption. The PROTECT Act also 
provides a broader range of export relief for American encryption products and pro- 
vides a certain timeframe for the export review process. Also, the Act provides Con- 
gressional support for, and sets a 5-year limit on the selection of, the 128-bit Ad- 
vanced Encryption Standard. 

The PROTECT Act should be further improved to reflect market and technological 
realities. The PROTECT Act does not permit individual foreign consumers to obtain 
strong, non-recoverable encryption, making it impossible for them to securely pur- 
chase products from American companies. Also, the Act does not provide immediate 
export relief for encryption sales to small businesses — one of the fastest growing 
worldwide business sectors. 

Unfortunately, the PROTECT Act limits easy exportability of mass market prod- 
ucts with strong 128-bit encryption until NIST adopts the Advanced Encryption 
Standard. This means individual consumers and small businesses will have to wait 
three years to obtain strong American encryption, and foreign companies will have 
had three more years to market their products. Exportability in the meantime is de- 
pendent on an unwieldy complex bureaucracy that will determine whether American 
products are generally available or compete with comparable foreign products. We 
believe the evidence already is overwhelming regarding these facts. 

INTRODUCTION 

Good Morning. My name is Jim Bidzos, and I am Vice Chair of Security Dynamics 
Technologies, Inc., a Massachusetts-based security firm that is also the parent com- 
pany of RSA Data Security, located in San Mateo, California. Eor over 13 years, 
until earlier this year, I was the President and CEO of RSA Data Security, the 
world’s leading encryption company. 

RSA’s technology is embedded in both Netscape and Microsoft browsers, and in 
over 500 other products, all used by hundreds of millions of people around tbe world 
to secure internet transactions and digital data of many types. Over many years, 
I have personally negotiated hundreds of licenses to RSA encryption technology, in- 
cluding licenses with companies such as IBM, Microsoft, ATT, Netscape, Oracle, and 
Motorola. These negotiations almost always involve discussions about encryption 
needs, end-user requirements, and export policy. I have thus gained unique insights 
into the needs and concerns of both industry and users with respect to encryption. 

I am also founder and chairman of Verisign, Inc., the leader in Internet authen- 
tication. Verisign is the world’s largest Internet security products and services com- 
pany as measured by both customers and market capitalization. 

I am a member of the board of directors of several other security companies. One 
specializes in virtual private networks. Another is a manufacturer of security to- 
kens. Another offers cryptographically secure digital time stamping services. I am 
also a director of a UK-based encryption hardware company, a Dublin-based secure 
electronic payments company, and two Japanese security companies. 

I have been deeply involved in the debate over encryption, from many aspects, in- 
cluding US policy on the export of this technology. Over tbe last 13 years, I have 
testified many times before both the House and Senate on encryption policy, and 
I have participated in numerous US and international standards activities. 

I believe that my long and unique history in the encryption area allows me to 
offer testimony today that may help the committee better understand industry’s con- 
cerns over US encryption policy. 

On behalf of Americans for Computer Privacy (“AGP”), thank you for the oppor- 
tunity to testify on S.798, the PROTECT Act, sponsored by Chairman McCain and 
cosponsored by four other committee members Senators Bums, Wyden, Abraham, 
and Kerry. 

ACP is a coalition of over 3,500 individuals, 40 trade associations and over 100 
companies representing financial services, manufacturing, high-tech, and transpor- 
tation industries as well as law enforcement, civil-liberty, taxpayer and privacy 
groups. ACP supports policies that allow American citizens to continue using strong 
encryption without government intrusion, and advocates the lifting of export restric- 
tions of U.S. made encryption products. 

But we really are here today to speak on behalf of the tens of millions of users 
of American software and hardware products. The American software and hardware 
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industries have succeeded because we have listened and responded to the needs of 
computer users worldwide. We develop and sell products that users want and for 
which they are willing to pay. 

One of the most important features computer users are demanding is the ability 
to protect their electronic information and to interact securely worldwide. American 
companies have innovative products which can meet this demand and compete 
internationally. But there is one thing in our way — the continued application of 
overbroad, unilateral, export controls by the U.S. Government. 

At the outset, I want to say that the PROTECT Act definitely moves us in the 
right direction and is a significant improvement over the Administration’s current 
policy — but it could be further improved in several important respects (along the 
lines of the SAFE Act). 

AGP recognizes a legitimate governmental need to obtain access to information 
and communications when authorized by proper legal authority. ACP and its mem- 
bers are responsible citizens. We have no wish to facilitate the commission of crime 
or the spread of terrorism. Similarly, we are committed to strengthening the na- 
tion’s infrastructure and promoting national security, enhancing the privacy of 
American citizens and ensuring the security of electronic commerce. 

But we believe that the best way of meeting all these objectives is promote the 
widespread use of encryption! 

Ultimately, any truly successful, sensible encryption policy that has America’s 
best interests at heart must be based on technological and market realities, and 
should not create winners and losers in the encryption marketplace on a sector-by- 
sector basis. It would recognize that: 

• The worldwide encryption standard is 128-bit encryption; 

• Mass market software and hardware is inherently uncontrollable; and 

• It is in America’s national and economic security interests to have American de- 
signed and manufactured encryption products deployed worldwide. 

We believe it is preferable for Congress to put encryption policy on a statutory 
basis rather than continuing to leave it up to inconsistent Administration regula- 
tions — sending a strong message around the world that encryption is important for 
protecting the privacy of citizens, for promoting e-commerce, preventing crime and 
protecting our critical infrastructures and national defense. 

THE AMERICAN COMPUTER SOFTWARE AND HARDWARE INDUSTRIES — ^AN AMERICAN 

SUCCESS STORY 

The computer software and hardware industries are American success stories, but 
they are being threatened. America’s software and hardware industries are impor- 
tant contributors to U.S. economic security. Information technology industries now 
are directly responsible for over one-third of real growth of the U.S. economy, and 
both the computer and software industries are continuing to grow. From 1990 
through 1996, the software industry grew at a rate of 12.5%, nearly 2.5 times faster 
than the overall U.S. economy. 

More than 7 million people work in IT industries. In 1996, the software industry 
provided a total of over 619,000 direct jobs and $7.2 billion in teix revenues for the 
U.S. economy. The software industry is expected to create an average of 45,700 new 
jobs each year through 2005. If piracy were to be eliminated in the United States, 
the number of new software jobs created would double to an average of 93,000 a 
year. 

Moreover, the computer software industry has achieved tremendous success in the 
international marketplace with global sales of packaged (i.e., non-custom) software 
reaching over $118.4 billion in 1996, and rising to $135.4 billion in 1997. American 
produced software accounts for 70% of the world market, with exports of U.S. pro- 
grams constituting half of the industry’s output. 

The incredible growth of tbe industry and its exporting success benefits America 
through the creation of jobs here in tbe United States. Many of these jobs are in 
highly skilled and highly paid areas such as research and development, manufac- 
turing and production, sales, marketing, professional services, custom programming, 
technical support and administrative functions. In the U.S. software industry, work- 
ers enjoy more than twice the average level of wages across the entire economy — 
$57,319 versus $27,845 per person. 

All of these revenues and jobs are dependent upon American software and hard- 
ware producers remaining the market leaders around the world, especially as the 
major growth markets continue to be outside the United States. Strong export con- 
trols on products with encryption capabilities are crippling the ability of these com- 
panies to compete with foreign providers and are only ensuring that foreign prod- 
ucts are securing worldwide critical infrastructures, not American products. 
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SECURE NETWORKS AND CONFIDENTIAL INFORMATION IN THE INTERNET AGE ARE THE 
KEY TO PRIVACY AND COMMERCE 

American individuals and companies are rapidly becoming networked together 
through private local area networks (LANs), wide area networks (WANs) and public 
networks such as the Internet. Combined, these private and public networks are the 
economic engine driving electronic commerce, transactions and communications. 
This engine is sputtering and threatens to stall. 

Traffic on the Internet doubles every 100 days. Predictions of business-to-business 
Internet commerce for the year 2000 range from $66 billion to $171 billion, and by 
2002, electronic commerce between businesses is expected to reach $300 billion. 
During 1997, one leading manufacturer of computer software and hardware sold $3 
million per day online for a total of $ 1.1 billion for the year. 

More and more individual consumers also are going on line arid spending. Five 
years from today, we anticipate nearly 60 percent of all Americans to be using the 
Internet. More than 10 million people in North America alone have already pur- 
chased something over the Internet, and at least 40 million have obtained product 
and price information on the Internet only to make the final purchase off-line. Alto- 
gether last year, consumers spent nearly $8 billion online. Nearly 1.5 million Ameri- 
cans join the online population every month, and the number of worldwide online 
users is expected to reach 248 million by 2002. 

The incredible participation by American consumers in the Internet phenomenon 
clearly demonstrates that the need for strong encryption is no longer merely the 
purview of our national security agencies concerned about securing data and com- 
munications from interception by foreign governments. Today, every American even 
merely dabbling on the Internet requires access to strong encryption. Imagine the 
boost in volume of e-commerce if all of these consumers had enough confidence in 
the security of the Internet to purchase on-line. Yet in 1996 the Computer Security 
Institute/FBI Computer Crime Survey indicated that our worldwide corporations 
will be increasingly under siege: over half from within the corporation, and nearly 
half from outside of their internal networks. 

Network users must have confidence that their communications and data — wheth- 
er personal letters, financial transactions or sensitive business information — are se- 
cure and private. Electronic commerce is transforming the marketplace — eliminating 
geographic boundaries and opening the world to buyers and sellers. Companies, gov- 
ernments and individuals now realize that they can no longer protect data and com- 
munications from others by rel3dng on limiting physical access to computers and 
maintaining stand-alone centralized mainframes. Instead, users expect to be able to 
pick up their e-mail or modify a document from any computer anywhere in the 
world simply by using their Internet browsers. Thus, consumers worldwide are de- 
manding to be able to protect their electronic information and interact securely 
worldwide, and access to products with strong encryption capabilities has become 
critical to providing them with confidence that they will have this ability. 

UNILATERAL U.S. EXPORT CONTROLS HARM AMERICAN INTERESTS 

Currently, there are no restrictions on the use of cryptography within the United 
States. However, the U.S. Government maintains strict unilateral export controls on 
computer products that offer strong encryption capabilities. 

American companies are forced to limit the strength of their encryption to the 56- 
bit key length level set late in 1998. The recently announced regulations will also 
permit companies to export stronger encryption on a sector-by-sector, user-by-user 
basis. However, this policy ignores the fact that: 

• The minimum stren^h now required by new Internet applications is 128-bit 
encryption; 

• American companies cannot export encryption products to a vast majority of 
non-U.S. commercial entities. Foreign manufacturers provide 128-bit encryption al- 
ternatives and add-ons — filling the market void created by U.S. export controls; 

• Providing sector-by-sector relief is unworkable for mass market products and 
does not reflect commercial realities for sales of custom products; 

• 56-bit encryption has been demonstrated to be vulnerable to commercial let 
alone governmental attack. (In the beginning of this year at the RSA Encryption 
Conference, a 56-bit DES encoded message was broken by private companies and 
individuals working together in 22 hours and 15 minutes — imagine what a hostile 
government with serious resources could do); and 

• New developments in technology are introduced everyday that speed up 
decryption time. Adi Shamir, the Israeli computer scientist who is the “S” in RSA, 
recently announced “Twinkle”, which is a proposed method for quickly unscrambling 
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computer-generated codes that have until now heen considered secure, at the Inter- 
national Association for Cryptographic Research’s latest meeting in Prague. 

THE WASSENAAR ARRANGEMENT IS NOT A MULTILATERAL AGREEMENT TO 
CONTROL ENCRYPTION 

I want to take one minute to discuss the Wassenaar Arrangement at this point. 
Please do not he fooled hy any claims from the Administration that the Wassenaar 
Arrangement is the multilateral agreement on encryption that they have heen tout- 
ing was just around the corner for the past several years. 

The Wassenaar Arrangement replaced the old COCOM regime with a non-binding 
agreement among 30 countries to report on their sensitive exports. The December 
1998 Wassenaar Arrangement agreement actually decontrolled encryption products. 
Many countries, such as Israel and South Africa, who export strong encryption are 
not signatories to the Arrangement. The Wassenaar Arrangement eliminates con- 
trols of any sort on 56-bit encryption and permits exports of up to 64-bit encryption 
in mass-market software and hardware. It also removed any reporting require- 
ments — the sole official means for actually monitoring what countries are doing. Al- 
though the Arrangement left open the possibility that countries might individually 
control 128-bit encryption, we are skeptical that they will do so. There is no penalty 
for failing to control 128-bit encryption, and most countries are actually moving to- 
wards encouraging the use of stronger encryption. Finally, a country could tech- 
nically comply with the Arrangement, while still permitting easy exports of strong 
encryption. 

Ironically, the U.S. government is a good example of the lack of effect of the 
Wassenaar Arrangement. In its new encryption regulations, the Administration is 
still controlling encryption products with greater than 56, not 64, bit keys, and they 
have imposed reporting requirements on mass market products even if they are 
using 64-bit encryption. 

Recently, on June 2, 1999, the German government established a new encryption 
policy seeking to improve protection of German users of global information networks 
and clarifying that any encryption product may be developed, produced marketed 
and used without restrictions in Germany. The German government declared its in- 
tention to simplify their export review process and to strengthen the performance 
and ability of German manufacturers to compete internationally. The German gov- 
ernment will monitor abuses of encryption for illegal purposes and attempt to fur- 
ther improve the technical capabilities of German law enforcement and security 
agencies to handle advances in encryption technology. 

Even France, traditionally the country which placed the greatest restrictions on 
its own citizens by limiting them to the easily broken 40-bit level of encryption, has 
recognized that technology has progressed. Near the end of 1998, France relaxed 
controls on the domestic use of encryption and is now permitting, and in fact en- 
couraging, the use of 128-bit encryption by its citizens. 

WITHOUT EXPORT RELIEF, FOREIGN CONSUMERS WILL PURCHASE THEIR PRODUCTS 

FROM FOREIGN SUPPLIERS, KEEPING U.S. MANUFACTURERS AT A COMPETITIVE DIS- 
ADVANTAGE 

Export controls also have made American companies less competitive and opened 
the door for foreign software and hardware developers to gain significant market 
share — decreasing our national and economic security. 

As a result of U.S. unilateral export controls, encryption expertise is being devel- 
oped off-shore by foreign manufacturers who now provide hundreds of encryption al- 
ternatives and add-ons. The Administration’s export controls are in no way pre- 
venting foreigners, let alone those with criminal intent, from obtaining access to 
encryption products. In fact, foreign software and hardware manufacturers have 
seized the opportunity to create sophisticated encryption products and to capture 
sales. 

As long ago as 1995, the General Accounting Office confirmed that sophisticated 
a encryption software is widely available to foreign users on foreign Internet sites. 
In 1996, a Department of Commerce study again confirmed the widespread avail- 
ability of foreign manufactured encryption programs and products. Professor Hoff- 
man today releases the results of his latest survey which shows the continuing 
growth in foreign encryption products in the face of U.S. export controls. 

If an encryption product is combined with other applications such as Internet 
browsers and application servers, U.S. companies generally will lose both sales. In 
fact, companies risk losing sales of entire systems because of inability to provide 
necessary security features. This permits foreign manufacturers to gain entry into 
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companies as well as gain credibility — providing the foreign manufacturers with fur- 
ther opportunity to take away future sales in the same and other product lines. 

U.S. ENCRYPTION EXPORT CONTROLS HURT AMERICAN COMPANIES WITHOUT HELPING 
LAW ENFORCEMENT OR NATIONAL SECURITY 

U.S. export controls have had the effect of creating an encryption expertise out- 
side the United States that is gathering momentum. Unfortunately, every time re- 
search and development of an encryption technique or product moves off-shore, U.S. 
law enforcement and national security agencies lose. We believe that continuing 
down this path will be ultimately more harmful to our national security and law 
enforcement efforts as American companies will no longer be the world leaders in 
creating and developing encryption products. 

In fact, as long ago as 1996, the NRC Committee concluded that as demand for 
products with encryption capabilities grows worldwide, foreign competition could 
emerge at levels significant enough to damage the present U.S. world leadership in 
information technology products. The Committee felt it was important to ensure the 
continued economic growth and leadership of key U.S. industries and businesses in 
an increasingly global economy, including American computer, software and commu- 
nications companies. Correspondingly, the Committee called for an immediate and 
easy exportability of products meeting general commercial requirements — which is 
currently 128-bit level encryption! 

To summarize: 

• Foreign competitors not subject to outdated U.S. export controls are ready to 
take sales and customers from U.S. companies today. 

• Complex and cumbersome U.S. export controls make American companies less 
competitive. They significantly increase the costs of developing, marketing and sell- 
ing products with encryption capabilities, delay the introduction of new products or 
features, and encourage foreign customers to purchase from foreign suppliers due 
to the uncertainty and delay in obtaining a comparable American product. 

• Current export controls do not keep strong encryption out of the hands of for- 
eign customers; they just keep U.S. products out of their hands. 

• In the future, if export controls on encryption are not releixed, both American 
and foreign infrastructures will be secured by foreign encryption products, creating 
a significant problem for American law enforcement and national security agencies. 

American companies do have exciting and innovative products that can meet the 
demand for 128-bit encryption and compete internationally. But unless the current 
unilateral U.S; export restrictions are changed to allow the use of strong encryption, 
American individuals and businesses will not be active participants in this new 
networked world of commerce — let alone continue to be the leaders in its develop- 
ment. Furthermore, American companies will no longer be providing the world, and 
its critical infrastructures, with the answers to their security problems. Instead for- 
eign companies will. It is unclear how U.S. national security or law enforcement will 
be aided or how our critical infrastructures will be secure when foreign encryption 
products dominate the world market. 

THE BERNSTEIN CASE 

The absurdity of the existing export control regime is further highlighted by the 
recent decision of the 9th Circuit Court of Appeals in Bernstein v. DOJ. In that case, 
the court held that the existing restrictions on the export of source code, the lan- 
guage in which programmers communicate their ideas to one another, are an uncon- 
stitutional prior restraint on first amendment rights of free speech. So now we have 
a situation where it is permissible to export jobs (because one can export source code 
to teach foreign programmers), but not American products (because one cannot em- 
body that source code in a product)! 

More generally. Judge Fletcher’s opinion raises some very valid, more general 
questions and points out how important encryption is to the mainstream life of 
Americans rather than merely to obscure technologists. Judge Fletcher states: 

In this increasingly electronic age, we are all required in our everyday lives 
to rely on modern technology to communicate with one another. This reliance 
on electronic communication, however, has brought with it a dramatic diminu- 
tion in our ability to communicate privately. Cellular phones are subject to mon- 
itoring, email is easily intercepted, and transactions over the internet are often 
less than secure. Something as commonplace as furnishing our credit card num- 
ber, social security number, or bank account number puts each of us at risk. 
Moreover, when we employ electronic methods of communication, we often leave 
electronic “fingerprints” behind, fingerprints that can be traced back to us. 
Whether we are surveilled by our government, by criminals, or by our neigh- 
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bors, it is fair to say that never has our ability to shield our affairs from prying 
eyes been at such a low ebb. The availability and use of secure encryption may 
offer an opportunity to reclaim some portion of the privacy we have lost. Gov- 
ernment efforts to control encryption thus may well implicate not only the First 
Amendment rights of cryptographers intent on pushing the boundaries of their 
science, but also the constitutional rights of each of us as potential recipients 
of encryption’s bounty. Viewed from this perspective, the government’s efforts 
to retard progress in cryptography may implicate the Fourth Amendment, as 
well as the right to speak anonymously, . . ., the right against compelled speech, 
. . ., and the right to informational privacy. While we leave for another day the 
resolution of these difficult issues, it is important to point out that Bernstein’s 
is a suit not merely concerning a small group of scientists laboring in an eso- 
teric field, but also touches on the public interest broadly defined. 

THE ADMINISTRATION TOOK A SMALL FIRST STEP TOWARDS DEVELOPING A SENSIBLE 
LONG-TERM ENCRYPTION POLICY, BUT THEY STILL HAVE NOT GONE FAR ENOUGH 

Progress was made last year in the new Administration policy announced hy the 
Vice President in September and contained in the interim final regulations of De- 
cember 31, 1998. 

AGP welcomed the Administration’s efforts to relax export controls on select prod- 
ucts used by select users. We especially appreciated the Administration’s apparent 
abandonment of its key escrow policy that would have required all encryption ex- 
ports (except for 40-bit and less encryption) to be capable of providing third parties 
with immediate access to the plaintext of stored data or communications without 
the knowledge of the user. Foreign companies and consumers simply would not pur- 
chase such products as a multitude of foreign products without key escrow are read- 
ily available. 

However, the Administration’s actions are merely a first step. U.S. export controls 
still ignore the realities of mass-market software and hardware distribution. Mass- 
market software publishers and hardware manufacturers sell products through mul- 
tiple distribution channels such as OEMs (ie., hardware manufacturers that pre- 
load software onto computers), value-added resellers, retail stores and the emerging 
channel of on-line distribution. Thus, mass market products are available to the 
general public from a variety of sources. (It also is why continued reporting require- 
ments about end-uses and end-users make no sense.) 

The mass-market distribution model presupposes that software publishers and 
hardware manufacturers will take full advantage of these multiple channels to ship 
identical or substantially similar products worldwide (allowing only for differences 
resulting from localization) irrespective of specific customer location or characteris- 
tics. As mass market products are uncontrollable, AGP believes U.S. companies 
should be able to export the current market standard of 128-bit encryption. Unfortu- 
nately, the Administration has only proposed permitting easy exports of 66-bit 
encryption even if foreign products exist in the marketplace. 

AGP also believes that encryption hardware and software should be treated iden- 
tically. However, contrary to the Administration’s original announcement regarding 
export relief which included export relief for hardware, the new regulations still do 
not permit 56-bit encryption chips, integrated circuits, toolkits and executable or 
linkable modules to be easily exported except to subsidiaries of U.S. companies or 
otherwise relax export controls on stronger mass market hardware. 

In addition, AGP believes that the new regulations are so complex and contain 
unrealistic requirements that they undermine many of the benefits of the Adminis- 
tration’s export relief for stronger encryption, especially for mass market hardware 
and software. U.S. companies are now required to meet a number of new, unilateral 
reporting requirements. For example, exporters now are required to report the name 
and address of end-users, a virtual impossibility for mass-market exporters because 
registration of end-users is customarily voluntary. A system to obtain the names 
and addresses of each of the millions of potential health care end-users, for example, 
would cost more than the profits yielded from many products. 

AGP also is disappointed that the Administration’s regulations do not clearly pro- 
vide online merchants with the level of export control relief originally envisioned as 
they do not permit ISPs to provide “services” as a permissible end-use. This could 
chill the use by ISPs located abroad of U.S. -origin encryption products for billing, 
payment, and delivery purposes, despite the widespread foreign availability of such 
products. 
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THE PROTECT ACT IS AN IMPROVEMENT OVER CURRENT ADMINISTRATION POLICY 

The PROTECT Act Establishes The Correct Domestic Encryption Policy 

The PROTECT Act affirms that Americans may use and sell any type of 
encryption domestically. Even more importantly, the PROTECT Act ensures that 
the U.S. Government may not use its full powers and capabilities to compel, directly 
or indirectly, Americans to use or sell a certain type of encryption. This will prevent 
the U.S. Government from attempting to achieve domestic controls on encryption 
through regulations or “incentives”. 

For example, the Act prohibits the U.S. Government from linking the ability to 
electronically sign a document to a requirement that the consumer use a particular 
encryption methodology for ensuring confidentiality. Thus, the U.S. Government 
cannot require Americans to use a certain type of encryption (such as key escrow) 
to engage in electronic commerce. 

Also, the PROTECT Act specifically restricts the government from requiring any 
American to use a particular encryption product or methodology to communicate 
with or transact business with the government. The U.S. Government may only 
specify technologies for its own internal uses. 

The PROTECT Act Provides Additional Export Relief For Encryption Products 

The PROTECT Act provides a broader range of export relief for American 
encryption products than the Administration. We are pleased that the PROTECT 
Act provides immediate export relief after a one-time review by the government for: 

• All encryption products using key lengths of 64-bits or less rather than the less 
secure 56-bit key lengths proposed by the Administration; 

• All recoverable encryption products regardless of key length, including tele- 
communications related products; and 

• All encryption products using key lengths greater than 64-bits to certain legiti- 
mate and responsible commercial users, including publicly traded firms, firms sub- 
ject to government regulation, U.S. companies’ foreign subsidiaries, affiliates and 
strategic partners, on-line merchants who use encryption products to support elec- 
tronic commerce, and foreign governments who are members of NATO, OECD and 
ASEAN. 

We are also pleased that the PROTECT Act recognizes the need for a quicker and 
more certain timeframe for the export review process. Businesses simply cannot live 
with the U.S. Government taking between 3 to 6 months to determine whether a 
product is exportable when many Internet products have 90 day product cycles and 
most businesses do not want to wait through one or two business quarters to update 
their computer systems. 

The PROTECT Act Begins To Recognize Mass Market Product Realities 

We also are encouraged that the PROTECT Act recognizes the difficulties in com- 
plying with reporting requirements for mass market encryption products and elimi- 
nates such reporting requirements. It is virtually impossible for mass-market ex- 
porters to report the name and address of each end-user. Millions of these products 
are sold through multi-level distribution channels (e.g., VAR’s and chain stores). 
Moreover, as registration of mass market products is customarily voluntary. This is 
a vast improvement over the Administration’s proposed regulations which effectively 
require companies to develop a system to obtain the names and addresses for each 
health and medical end-user of stronger encryption products and all foreign online 
merchants. 

The PROTECT Act also provides Congressional support for, and sets a 5-year 
limit on the selection of, the 128-bit Advanced Encryption Standard which is being 
developed under the auspices of the National Institute of Standards and Technology. 
The 2002 deadline will provide impetus for NIST to finish developing the standard 
in a timely manner while providing NIST with sufficient time to study the final 
standard’s security features. This is an important process that will result in a new 
standard for government’s sensitive, but unclassified, information and most likely 
will serve as the new worldwide standard for strong encryption simiiar to the Data 
Encryption Standard when it was introduced in the 1970’s. Once the algorithm is 
selected, the PROTECT Act removes all export controls on encryption products 
using the 128-bit standard or its equivalent strength. 
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THE PROTECT ACT SHOULD BE FURTHER IMPROVED TO REFLECT MARKET AND 
TECHNOLOGICAL REALITIES 

The PROTECT Act Does Not Provide Immediate Export Relief For Indi- 
vidual Consumers 

The PROTECT Act does not go far enough to protect the millions and millions 
of consumers that are now engaging in electronic commerce. Foreign consumers still 
will not be able to obtain an American Internet browser with strong, non-recover- 
able encryption, making it impossible for them to securely purchase products from 
American companies. Also, an everyday foreign consumer who wants to protect an 
on-line diary, copies of health care records or a business proposal, may not easily 
obtain strong encryption to do so from American sources if any portion of the 
encryption used by the product is non-recoverable. Under the bill, all these individ- 
uals must wait until 2002. 

The PROTECT Act Does Not Provide Immediate Export Relief For Small Businesses 

We believe the PROTECT Act provides greater export relief for larger corporate 
customers. However, until 2002, small and privately-owned businesses face signifi- 
cant difficulty in easily obtaining U.S. encryption under any of the License Excep- 
tions established by the PROTECT Act. So, for example, if two doctors in private 
practice together in Brazil or a restaurant owner in France or a small shopping 
market in Germany wants to purchase non-recoverable encryption, these small busi- 
nesses probably would purchase a comparable foreign product as an American com- 
pany could not easily export it to them. 

Unfortunately, as companies install the security “plumbing” into their individual 
computers and company networks, it becomes increasingly difficult for American 
companies to replace the foreign software and hardware that already has been in- 
stalled. Because the small business sector is, and most likely will continue to be, 
the fastest growing business sector, this puts American companies at a distinct dis- 
advantage in selling encryption products at a later date. 

The PROTECT Act’s Export Relief For Mass Market Products And For Products 
Which Face Competition From Comparable Foreign Products Is Too Complicated 
And Creates An Unwieldy Bureaucracy 

The PROTECT Act does recognize that mass market and publicly available 
encryption products, and encryption products for which comparable foreign products 
are available, should be treated differently under the U.S. export regime. The bill 
acknowledges the futility of trying to control a product that can be bought off of the 
Internet or easily purchased from commercial vendors such as CompUSA or from 
Circuit City by any individual in America regardless of nationality, or a comparable 
product can be easily purchased from similar stores in a foreign country. “Bad guys” 
certainly will have no problems obtaining the encryption products, and no concerns 
about “exporting” the products via telephone lines or the Internet or smuggled out 
on personally pressed CDs. The only impact of the export controls will be to stop 
American companies from selling American products to legitimate users. 

Unfortunately, the PROTECT Act establishes a complicated private/public board 
structure for deciding after-the-fact whether or not a product is a mass market prod- 
uct or whether comparable foreign products are available. The Secretary of Com- 
merce has thirty days to approve or disapprove the Board determination, subject to 
judicial review, and the President may override any determination. Unfortunately, 
there is no guarantee of any consistency in the Board’s decisions. Thus, while the 
Board procedure is an improvement, and the opportunity for judicial review provides 
a mechanism to ensure that exports are not denied in an arbitrary and capricious 
manner, it is not a predictable, clear process giving American companies certainty 
as to whether they can export their products. Such predictability is necessary so 
that American companies can have confidence designing and building security fea- 
tures into their products. 

The PROTECT Act should, but does not, afford complete and immediate export 
relief for mass market encryption without any complicated oversight. The Act also 
does not recognize that if a comparable foreign product is available, any delay in 
exports provides a significant advantage to the foreign product. 

The PROTECT Act’s Relief For 128-Bit AES Products Is Too Little, Too Late 

I want to make one final comment regarding the general exportability of mass 
market products. We support NIST’s efforts to establish a new 128-bit Advanced 
Encryption Standard; however, under the bill, it will not be finalized until 2002. Be- 
cause the PROTECT Act limits easy exportability of mass market products until the 
AES is adopted, general distribution of these products will have to wait almost three 
years. Considering the current speed of technological change, where Internet prod- 
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ucts are now on three-month product cycle times, and the fact that 128 -bit com- 
parable foreign encryption is currently available, this is an eternity in Internet time. 
Law enforcement and national security interests have known for a long time that 
ubiquitous use of strong encryption by consumers worldwide is just around the cor- 
ner. They cannot hope to continue to delay the world from using strong encryption 
according to their timeframe. 

THE TIME FOE ACTION IS NOW 

To keep American vendors on a level international playing field and American 
computer users adequately protected, U.S. export controls must be immediately up- 
dated to reflect technological and international market realities. 

Thank you. 

Senator Frist. Thank you, Mr. Bidzos. 

Dr. Hoffman. 

STATEMENT OF LANCE J. HOFFMAN, PH.D., PROFESSOR, DE- 
PARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER 

SCIENCE, AND DIRECTOR OF THE SCHOOL OF ENGINEERING 

AND APPLIED SCIENCE, CYBERSPACE POLICY INSTITUTE, 

THE GEORGE WASHINGTON UNIVERSITY 

Dr. Hoffman. Thank you, Mr. Chairman. I appreciate the oppor- 
tunity to be here this morning. I will give an abridgment of my 
written statement which has been previously furnished to this com- 
mittee. 

My name is Lance Hoffman. I am a professor in the Department 
of Electrical Engineering and Computer Science at The George 
Washington University here in Washington, DC. I am also director 
of the School of Engineering’s Cyberspace Policy Institute and the 
author or editor of five books and numerous articles on computer 
security and privacy. My most recent book is a compendium of pa- 
pers on the encryption policy problem entitled “Building in Big 
Brother.” 

Our Institute recently produced a report which we are releasing 
today, which I think you have been furnished, entitled “Growing 
Development of Foreign Encryption Products in the Face of U.S. 
Export Regulations.” This report is also available from the Insti- 
tute and will be available later on this afternoon on our web site, 
where detailed tables and charts supporting the testimony I am 
giving are available. 

We did this work in cooperation with NAI Labs, the Security Re- 
search Division of Network Associates in Glenwood, MD. The 
project manager for NAI Labs, Dave Balenson, is with me today. 
We were assisted in this project by three students. 

In our work, we found that the development of cryptographic 
products outside the United States is not only continuing, but is ex- 
panding to additional countries. With the rapid growth of the Inter- 
net, communications-related cryptography especially has been ex- 
periencing high growth. 

We identified 805 hardware and/or software products which in- 
corporate cryptography. These were manufactured in 35 countries 
outside the United States. Attachment 1 to the written testimony 
provides the details on the countries and products. 

These 805 foreign cryptographic products represent a 149-prod- 
uct increase, or 22 percent, over the most recent previous survey 
in December 1997. At least 167 of these use strong encryption, the 
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kind that one cannot export from the United States without apply- 
ing for and receiving export license approval. 

Cryptography product manufacturers have appeared in six new 
countries since December 1997: Estonia, Iceland, Isle of Man, Ro- 
mania, South Korea, and Turkey. In established markets, there 
have been some large increases in the number of products offered. 
For example, the United Kingdom jumped by 20 products and Ger- 
many jumped by 28 products, going from 76 to 104. 

Mr. Chairman, in 70 countries outside the United States, foreign 
companies are manufacturing or distributing cryptographic prod- 
ucts. We found 512 of these companies. On average, the quality of 
foreign and U.S. products is comparable and there are a number 
of very good foreign encryption products that are quite competitive 
in strength, standards compliance, and functionality. 

A significant number of foreign competitors to U.S. manufactur- 
ers are developing products with strong encryption and have as 
customers a number of large foreign or multinational corporations. 
Our report gives more detail on some of these companies and their 
offerings. 

We also found some examples of advertising used by non-U.S. 
companies that generally attempted to create the perception that 
purchasing American products may involve significant red tape and 
the encryption may not be strong due to export controls. Cited ear- 
lier this morning was material from Cybernetica’s web site in Esto- 
nia, and that is also in the written testimony. 

Mr. Chairman, companies want to sell encryption products that 
meet certain accepted worldwide standards. To give you just two 
examples, in the case of IPsec, the Internet Protocol Security 
Standard, there are implementations from at least nine companies 
in five foreign countries. One of these is a joint effort of several 
Japanese companies, including Fujitsu, Hitachi, Toshiba, and NEC. 

Two years ago NIST solicited algorithms for the Advanced 
Encryption Standard to replace the Data Encryption Standard, 
DES, as the U.S. Government standard. The majority of the 15 
candidate algorithms submitted came from foreign countries. So it 
is very possible that the next U.S. Government encryption standard 
will have been designed outside the United States. 

Finally, Mr. Chairman, our empirical product data could be com- 
bined with economic measures and economic theories to better ex- 
plain why we are seeing this observed growth in the cryptography 
marketplace and to examine the effects of Internet growth, elec- 
tronic commerce development, and regulatory actions on the mar- 
ket over time. With this knowledge, we would be able to more eas- 
ily adjust our national laws for a global economy. 

Thank you. 

[The prepared statement of Dr. Hoffman follows:] 

Prepared Statement of Lance J. Hoffman, Ph.D. Professor, Department of 

Electrical Engineering and Computer Science, and Director of the 

School of Engineering and Applied Science, Cyberspace Policy Institute, 

The George Washington University 

My name is Lance J. Hoffman. I am a professor in the Department of Electrical 
Engineering and Computer Science at The George Washington University in Wash- 
ington, D.C. I also am Director of the School of Engineering’s Cyberspace Policy In- 
stitute and the author or editor of five books and numerous articles on computer 
security and privacy. My most recent book is a compendium of papers on the 
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encryption policy problem entitled Building in Big Brother (Springer-Verlag, New 
York, 1995). 

Currently, I am the principal investigator for a project entitled “Cryptography 
Products and Market Survey”. As part of that project, we have recently produced 
a report entitled “Growing Development of Foreign Encryption Products in the Face 
of U.S. Export Regulations”. I am leaving you copies of that report, which is also 
available from the Institute or on our Web site at http://www.seas.gwu.edu/seas/in- 
stitutes/cpi/library/papers.html, where detailed tables and charts supporting this 
testimony are also available. We did this work in cooperation with NAI Labs, the 
Security Research Division of Network Associates, Inc., Glenwood, Md. The project 
manager for NAI Labs, Mr. David Balenson, is with me today. We were assisted 
in this project by three students. 

In the project, we surveyed encryption products developed outside the United 
States and found that the development of cryptographic products outside the United 
States is not only continuing but is expanding to additional countries; with rapid 
growth of the Internet, communications-related cryptography especially is experi- 
encing high growth. 

As of June 8, 1999, we identified 805 hardware and/or software products incor- 
porating cryptography manufactured in 35 countries outside the United States. As 
shown in Attachment 1, the greatest number of foreign cryptographic products are 
manufactured in the United Kingdom, followed by Germany, Canada, Australia, 
Switzerland, Sweden, the Netherlands, and Israel in that order. Other countries ac- 
counted for slightly more than a quarter of the world’s total of encryption products. 

These 805 foreign cryptographic products represent a 149-product increase (22%) 
over the most recent previous survey in December 1997. At least 167 of them use 
strong encryption, the kind that one cannot export from the United States without 
applying for and receiving export license approval. The algorithms used in these are 
Triple DES, IDEA, BLOWFISH, CAST-128, or RC5. 

Cryptography product manufacturers have appeared in six new countries since 
December 1997: Estonia, Iceland, Isle of Man, Romania, South Korea, and Turkey. 
There has also been a large increase in the number of products produced by certain 
countries. The United Kingdom jumped by 20 products from 119 to 139, and Ger- 
many jumped from 76 products to 104. Also notable was Japan’s increase, from 6 
products to 18, and Mexico’s, from a single product to six. 

There are now 512 foreign companies that either manufacture or distribute for- 
eign cryptographic products in 70 countries outside the United States. Attachment 
2 lists these countries. 

On average, the quality of foreipi and U.S. products is comparable. We have en- 
countered poor products both within and outside the U.S., and we have encountered 
good products both within and outside the U.S. There are a number of very good 
foreign encryption products that are quite competitive in strength, standards com- 
pliance, and functionality. 

A significant number of foreign competitors to U.S. manufacturers of software and 
hardware with encryption capabilities are developing products with strong 
encryption, and have as customers a number of large foreign or multinational cor- 
porations. The report gives thumbnail sketches of some of these companies and their 
offerings. 

We found some example of advertising used by non-U.S. companies that generally 
attempted to create the perception that purchasing American products may involve 
significant red tape and the encryption may not be strong due to export controls. 
As an example, we show in Attachment 3 material from Cybernetica’s Web site in 
Estonia. We give several other examples of similar advertising in the report. 

Companies want to sell encryption products that meet certain accepted worldwide 
standards. Encryption experts from all over the world have contributed to two im- 
portant international standards efforts, IPsec and the Advanced Encryption Stand- 
ard. In the case of IPsec, there are currently implementations (complete or in the 
works) from at least nine companies in five foreign countries. One effort, the KAME 
Project, is a joint effort of several Japanese companies (Fujitsu, Hitachi, IIJ Re- 
search Laboratory, NEC, Toshiba, and Yokogawa). 

In 1997, the National Institute of Standards and Technology (NIST) solicited algo- 
rithms for the Advanced Encryption Standard (AES) to replace the Data Encryption 
Standard (DES) as a U.S. government encryption standard. Individuals and compa- 
nies from eleven different foreign countries proposed 10 out of the 15 candidate al- 
gorithms submitted to NIST. So it is very possible that the next U.S. government 
encryption standard will have been designed outside the United States. Details on 
who submitted what algorithm are given in Attachment 4. 

Finally, our empirical product data could be combined with economic measures 
and economic theories to better explain why we are seeing the observed growth in 
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the cryptography marketplace, and to examine the effects of Internet growth, e-com- 
merce development, and regulatory actions on the international cryptographic mar- 
ket over time, thus getting better insights into the implications of various policy op- 
tions. We should be able to combine previous work with studies already available 
on the information technology sector and the data in our study to better understand 
the changes we are seeing in the global marketplace, and thus be able to more eas- 
ily adjust national laws for a global economy. 
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Attachment 1. Foreign Cryptographic Products by Country 


* 


Foreign Cryptographic Survey Results (as of May 19991 

The updated survey identified a total of 805 foreign cryptographic products from 35 
countries: 


Argentina 

Australia 

Austria 

Belgium 

Canada 

Czech Republic 

Denmark 

Estonia 

Finland 

France 

Germany 

Greece 

Hong Kong 

Iceland 

India 

Iran 

Ireland 

Isle Of Man 

Israel 

Italy 

Japan 

Mexico 

Netherlands 

New Zealand 

Norway 

Poland 

Romania 

Russia 

South Africa 

South Korea 

Spain 

Sweden 

Switzerland 

Turkey 

UK 




At least 167 of these foreign cryptographic products implement "strong" 
cryptographic algorithms, including Triple DES, IDEA, BLOWFISH, RC5, or CAST. 

We identified 512 foreign cryptography companies (including distributors as well as 
manufacturers) in 70 countries. 
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Attachment. 2. Foreign countries in which cryptography is manufactured or distributed 


Argentina 

Malaysia 

Australia 

Malta 

Austria 

Mauritius 

Bahrain 

Mexico 

Baltic Republics 

Nepal 

Bangladesh 

Netherlands 

Belgium 

New Zealand 

Brazil 

Nigeria 

Brunei 

Norv/ay 

Canada 

Oman 

Chile 

Philippines 

Colombia 

Poland 

Cyprus 

Portugal 

Czech Republic 

Qatar 

Denmark 

Reunion 

Estonia 

Romania 

Finland 

Russia 

France 

Saudi Arabia 

Germany 

Singapore 

Ghana 

Slovak Republic 

Greece 

South Africa 

Hong Kong 

South Korea 

Iceland 

Spain 

India 

Sweden 

Indonesia 

Switzerland 

Iran 

Taiwan 

Ireland 

Thailand 

Isle of Man 

Turkey 

Israel 

United Arab Emirates 

Italy 

United Kingdom 

Ivory Coast 

Venezuela 

Japan 

West Indies 

Kenya 

Yugoslavia 

Kuwait 

Zimbabwe 

Luxembourg 


Madagascar 
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Attachment 3 . Example of advertising used to CTeate a perception that 
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Attachment 4. Proposed Candidate for Advanced Encryption Standard 


Country 

Candidate 

Algorithm 

Submittor{s) 

Australia 

LOKI97 

Lawrie Brown, Josef Pieprzyk, Jennifer 
Se berry 

Belgium 

RIJNDAEL 

Joan Daemen, Vincent Rijmen 

Canada 

CAST-256 

Entrust Technologies, Inc. 

DEAL 

Outerbridge, Knudsen 

Costa Rica 

FROG 

TecApro Internacional S.A. 

France 

DFC 

Centre National pour la Recherche 
Scientifique (CNRS) 

German 

MAGENTA 

Deutsche Telekom AO 

Japan 

E2 

Nippon Telegraph and Telephone 
Corporation (NTT) 

Korea 

CRYPTON 

Future Systems, Inc. 

USA 

HPC 

Rich Schroeppel 

MARS 

IBM 

RC6 

RSA Laboratories 

SAFER+ 

Cylink Corporation 

TWOFISH 

Bruce Schneier, John Kelsey, Doug 
Whiting, David Wagner, Chrfs Hall, 

Niels Ferguson 

UK/lsrael/Norv«ay 

SERPENT 

Ross Anderson, Eli Biham, Lars 

Knudsen 


Smid, M., and M. Dworkin, Special Report on the First AES Conference, presented at Crypto *98 
Conference, August 1998, http;//csrc.nist.gov/encryption/aes/roundl/crypto98.pdf. 
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Growing Development of Foreign Encryption Products in the Face of U.S. 

Export Regulations 

executive summary 

Development of cryptographic products outside the United States is not only con- 
tinuing but is expanding to additional countries; with rapid growth of the Internet, 
communications-related cryptography especially is experiencing high growth, espe- 
cially in electronic mail, virtual private network, and IPsec products. This report 
surveys encryption products developed outside the United States and provides some 
information on the effect of the United States export control regime on American 
and foreign manufacturers. 

We have identified 806 hardware and/or software products incorporating cryptog- 
raphy manufactured in 35 countries outside the United States. The most foreign 
cryptographic products are manufactured in the United Kingdom, followed by Ger- 
many, Canada, Australia, Switzerland, Sweden, the Netherlands, and Israel in that 
order. Other countries accounted for slightly more than a quarter of the world’s total 
of encryption products. A full summary listing of the foreign cryptographic products 
can be found in an appendix to the report. 

The 805 foreign crypto^aphic products represent a 149-product increase (22%) 
over the most recent previous survey in December 1997. A majority of the new for- 
eign cryptographic products are software rather than hardware. Also, a majority of 
these new products are communications-oriented rather than data storage oriented; 
they heavily tend towards secure electronic mail, IP security (IPsec), and Virtual 
Private Network applications. 

We identified at least 167 foreign cryptographic products that use strong 
encryption in the form of these algorithms: Triple DES, IDEA, BLOWFISH, RC5, 
or CAST-128. Despite the increasing use of these stronger alternatives to DES, 
there also continues to be a large number of foreign products offering the use of 
DES, though we expect to see a decrease in coming years. 

New cryptography product manufacturers have appeared in six new countries 
since December 1997, and there has been a large increase in the number of products 
produced by certain countries. The new countries are Estonia, Iceland, Isle of Man, 
Romania, South Korea, and Turkey. The United Kingdom jumped by 20 products 
from 119 to 139, and Germany jumped from 76 products to 104. Also notable was 
Japan’s increase, from 6 products to 18, and Mexico’s, from a single product to six 
at the present time. 

We identified a total of 512 foreign companies that either manufacture or dis- 
tribute foreign cryptographic products in at least 67 countries outside the United 
States. A full summary listing of these is given in an appendix to the report. 

On average, the quality of foreign and U.S. products is comparable. There are a 
number of very good foreign encryption products that are quite competitive in 
strength, standards compliance, and functionality. 

We present sketches of some representative competitors to U.S. manufacturers of 
software and hardware with encryption capabilities; all are developing products 
with strong encryption and have as customers a number of large foreign or multi- 
national corporations. The specific companies highlighted are Baltimore Tech- 
nologies, Brokat, Check Point, Data Fellows, Entrust, Radguard, Seguridata 
Privada, Sophos, and Utimaco. 

We found some examples of advertising used by non-U.S. companies that gen- 
erally attempted to create a perception that purchasing American products may in- 
volve significant red tape and the encryption may not be strong due to export con- 
trols. This almost always appeared on Web sites. 

We observed that companies vie to have encryption products that meet certain ac- 
cepted worldwide standards. Encryption experts from all over the world have con- 
tributed to two important international standards efforts, IPsec and the Advanced 
Encryption Standard.. 

Finally, we suggested that our empirical product data could be combined with eco- 
nomic measures and economic theories to better explain why we are seeing the ob- 
served growth and to examine the effects of Internet growth, e-commerce develop- 
ment, and regulatory actions on the international cryptographic market over time, 
thus getting better insights into the implications of various policy options. 

1. introduction 

This project has three main goals: to provide a comprehensive survey of foreign 
encryption products available worldwide; to identify specific foreign competitors like- 
ly to present a significant economic threat to U.S. manufacturers of software and 
hardware with encryption capabilities; and to provide evidence, if found, of potential 
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threats to U.S. leadership in information technology as a result of U.S. export regu- 
lations on encryption products. 

While this work was undertaken within a very short time frame, and with limited 
resources, it still provides much new evidence to support the conclusions in Section 
7. This evidence can be augmented with additional information as time permits. We 
do not offer opinions or analysis of key escrow or recovery policies, do long-term 
technological forecasting, or offer detailed political/social analysis of export control 
policies. Our goal is to provide an accurate, up-to-date survey of encryption products 
developed outside the United States and to provide some information on the United 
States export control regime and its effect on American and foreign manufacturers. 

2. PRIOR WORK 

One of our first tasks in this project was to examine prior relevant work. Several 
important documents were studied in this regard. 

2.1 U.S. Department of Commerce I National Security Agency Study 

The U.S. Department of Commerce Bureau of Export Administration (BXA) and 
the National Security Agency (NSA) jointly issued a study [Commerce/NSA Study 
1996] that assessed the then current and future market for software products con- 
taining encryption and the impact of export controls on the U.S. software industry. 
Quoting from the press release that accompanied the study, “. . . The study found 
that the U.S. software industry still dominates world markets. In those markets not 
offering strong encryption, U.S. software encryption remains the dominant choice. 
However the existence of foreign products with labels indicating DES (Data 
Encryption Standard) or other strong algorithms, even if they are less secure than 
claimed, can nonetheless have a negative impact on U.S. competitiveness. The study 
also notes that the existence of strong U.S. export controls on encryption may have 
discouraged U.S. software producers from enhancing security features of general 
purpose software products to meet the anticipated growth in demand by foreign 
markets. All countries that are major producers of commercial encryption products 
were found to control exports to some extent. The study found that because cus- 
tomers lack a way to determine actual encryption stren^h, they sometimes choose 
foreign products over apparently weaker U.S. ones, giving those foreign products a 
competitive advantage.” [U.S. DoC 1996] 

2.2 National Research Council CRISIS Report 

A report [CRISIS 1996] was published in 1996 by the National Research Council’s 
Committee to Study National Cryptography Policy. It examined a number of issues 
related to our study. Based on work by a committee chaired by former Deputy Sec- 
retary of State Kenneth Dam and populated by a number of professionals from the 
law, intelligence, and computer science communities, it concluded that the United 
States should promote widespread commercial use of technologies that can prevent 
unauthorized access to electronic information, that the export of the Data 
Encryption Standard (DES) should be allowed to provide (what was then consid- 
ered)-an acceptable level of security, and that the United States should progres- 
sively relax but not eliminate export controls. 

The report also states “widespread commercial and private use of cryptography 
in the U.S and abroad is inevitable in the long run and its advantages, on balance, 
outweigh the disadvantages”. The committee concludes by noting “the interests of 
the government and the nation would be best served by a policy that fosters a judi- 
cious transition toward a broad use of cryptography”. 

2.3 President’s Export Council Subcommittee on Encryption Report 

The President’s Export Council Subcommittee on Encryption (PECSENC) is char- 
tered by the Secretary of Commerce to provide the private and public sector with 
the opportunity to advise the U.S. Government on the future of commercial 
encryption export policy. The members of the PECSENC consist of representatives 
from industry, academia, nonprofit foundations, state and local law enforcement, 
and elsewhere in the private sector. In Septemberl998, its Working Group on Inter- 
national Issues issued a report [PECSENC 1998, included as Appendix D] that 
found “the difference between U.S. encryption controls and those of other nations 
is a serious — but not the only — factor determining success in the computer security 
market.” It also concluded that, “the adverse impact of controls on U.S. industry is 
palpable. For many software applications, business customers simply demand secu- 
rity and encryption; it is a checklist item, and its absence is a deal breaker.” 

The report also highlighted an example of a non-U.S. company using the dif- 
ference in export control regimes as “leverage” to ultimately attempt to dominate 
particular applications: 
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. . Brokat, a German company that scarcely existed four years ago, now has 
250 employees and offices in several countries including the United States. 
Brokat’s specialty is Internet banking and electronic commerce, but it broke into 
that business on the strength of being able to offer stronger encryption than 
German banks could obtain in Netscape or Microsoft browsers. It is now a 
major player in this niche, with 50% of the European Internet banking market 
and enough U.S. customers to justify a 20-person U.S. branch office. Meanwhile, 
encryption constitutes 10% or less of Brokat’s revenue, and it has expanded its 
initial Internet banking offerings to include support for other forms of electronic 
commerce. Loss of U.S. competitiveness in the electronic commerce software 
market obviously raises concerns not just about encryption software but other 
software opportunities. Indeed, it foreshadows a weakening of the U.S. position 
as a leader in electronic commerce generally.” 

The report also was concerned that “the persistent emphasis in U.S. export con- 
trol policy over the past two years on key recovery, or “lawful access,” has also 
taken a toll on the credibility of U.S. security products. . . . Foreign governments 
and competitors, particularly in Europe, have misinterpreted this U.S. policy, per- 
haps deliberately. In essence, foreign customers are told often by their governments 
as well as local security companies that all U.S. encryption products come with a 
back door allowing the U.S. government to read the contents. In part this is the re- 
sult of outmoded ‘Recovery’ supplements to U.S. export rules that demand an unre- 
alistic level of U.S. government access to key recovery products.” 

3. SURVEY OF CRYPTOGRAPHIC PRODUCTS OUTSIDE THE U.S. 


3.1 Overview 

The principal investigator and the subcontractor of this current project also stud- 
ied the worldwide availability of cryptographic products since April 1993 as part of 
what has become known as the “TIS Survey” [TIS 1997]. The results of this earlier 
work have been presented to the Computer Systems Security and Privacy Advisory 
Board (CSSPAB) of the National Institute of Standards and Technology (NIST) and 
presented by Stephen T. Walker, President of Trusted Information Systems, to two 
Congressional subcommittees [Walker 1993, Walker 1994]. The survey was also pro- 
vided to numerous government agencies and departments as part of their efforts to 
understand the availability of cryptographic products and its impact on U.S. export 
control policies. 

The TIS Survey continued until December 1997, at which time it identified 666 
foreign cryptographic products from 29 countries. The survey also identified 963 do- 
mestic products, for a worldwide total of 1619 products produced and distributed by 
949 companies (474 foreign and 475 domestic) in at least 68 countries. 

Our goal for this current study was to update the foreign product portion of the 
TIS Survey. We focused mainly on discovering new products from foreign manufac- 
turers and also spent some time updating entries for the existing foreign products 
in the database. 

Information collected by the TIS Survey was assembled into an MS Access data- 
base. The database includes two tables, one for cryptographic products and a second 
table for companies that either produce or distribute cryptographic products. Each 
entry in the product table includes the following information: NameWersion, Manu- 
facturer and Country, Platforms: 

• PC, Mac, Workstation, Mainframe, DOS, Windows, UNIX, etc.. Interfaces; 

• RS232, X.21, X.25, V.21, V.24, RJ-11, etc.. Type; 

• HW, SW, HW/SW combo. What It Encrypts; 

• Data, Files, Directories, Disks, Communications, Voice, Fax, Tape, Email, etc.. 
Embodiment; 

• Program, Rit, Chip, Board, Box, Tokens, PCMCIA, Smart Card, Phone, etc. 
Cryptographic Algorithms; 

• DES, Triple DES (3DES), Blowfish, IDEA, CAST, Proprietary, RC2/4/5, SKIP- 
JACK, Stream Ciphers, RSA, El Gamal, DH, DSA, ECC, MD2/4/5, SHA-1, etc.. How 
Distributed; 

• Mass-Market, Direct, Shareware, Internet, etc.. Company Information; 

• Name, Country, Address, Contact Information, etc. 

3.2 Data Collection Methodology 

We used the following methods of data collection: issue a call for information and 
examine the results, plumb existing work available to us, and use the World Wide 
Web to conduct searches for new products and information. 
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The call for information to elicit information from the computer cryptography com- 
munity regarding new products (Appendix A) was posted in the following 
newsgroups and mailing lists (IETF is the Internet Engineering Task Force [IETF]): 

• sci. crypt newsgroup: discussion of the science of cryptology, including cryptog- 
raphy, cryptanalysis, and related topics such as one-way hash functions. 

• Risks mailing list: describes many of the technological risks that happen in to- 
day’s environment. 

• Cypherpunks mailing list: forum for discussing cryptography, privacy, and re- 
lated social issues. 

• Cryptography mailing list: mailing list devoted to cryptographic technology and 
its political impact. 

• Firewalls mailing list: discussion of Internet “firewall” security systems and re- 
lated issues. 

• IETF Web Transaction Security (wts) Working Group mailing list: discussion of 
the development of requirements and a specification for the provision of security 
services to Web transaction. 

• IETF Secure Shell (secsh) Working Group mailing list: discussion of efforts to 
update and standardize the SSH protocol. 

• IETF IP Security Protocol (ipsec) Working Group mailing list: discussion of the 
standards efforts on IP Security. 

• IETF An Open Specification for Pretty Good Privacy (openpgp) Working Group 
mailing list: discussion of extending the current PGP protocol. 

The Call and Survey were also posted on the Web site of the Cyberspace Policy 
Institute of The George Washington University [CPI 1999]. Additionally, project 
team members sent the survey out to individuals who they believed might know of 
foreign products. 

The existing work available to us included trade magazines, journals, buyers 
guides [CSI, iCSA Survey], and other print material. 

Most of our new information on foreign cryptography products was found by using 
Web search engines and gathering information from Web pages. 

3.3 Results of Update to Cryptographic Products Survey 

Our effort to update the cryptographic products survey focused mainly on discov- 
ering new products from foreign producers, but also involved updating information 
on some of the existing foreign products in the database. Since we did not set out 
to update information on cryptographic products produced in the U.S., the number 
of domestic cryptographic products changed only slightly (when we came across 
something and thus updated the information). However, we expect that the number 
of cryptographic products produced in the U.S. has in fact also increased. NAI Labs 
plans to further update the domestic portion of the survey in the near future. 

The updated foreign cryptographic product survey (see summary table on fol- 
lowing page) now identifies a total of 805 hardware and/or software products incor- 
porating cryptography manufactured in 35 countries outside the United States. The 
most foreign cryptographic products are manufactured in theUnited Kingdom, fol- 
lowed by Germany, Canada, Australia, Switzerland, Sweden, the Netherlands, and 
Israel in that order. Other countries accounted for slightly more than a quarter of 
the world’s total of encryption products. A full summary listing of the foreign cryp- 
tographic products can be found in Appendix B. 

The 805 foreign cryptographic products resulting from the current update rep- 
resents a 149-product increase over the December 1997 survey. A majority of the 
new foreign cryptographic products are software rather than hardware. 

Another notable finding is that a majority of new foreign cryptographic products 
are oriented toward communications rather than data storage applications; and 
these heavily tended towards secure electronic mail, IP security (IPsec), and Virtual 
Private Network (VPN) applications. The results also showed a lot of activity in 
IPsec implementation, which is likely prompted by the recent emergence of new 
IPsec specifications from the IETF [IPSEC]. 

The updated foreign cryptographic product survey also identified a total of 512 
foreign companies that either manufacture or distribute foreign cryptographic prod- 
ucts in at least 67 countries outside the United States. A full summary listing of 
these is given in Appendix C. 

3.3.1 More “Strong” Encryption is on the Market 

The updated foreign cryptographic products survey also showed increasing use of 
“strong” alternative cryptographic algorithms to DES, which uses a 56-bit key. Alto- 
gether, we identified at least 167 foreign cryptographic products that use Triple 
DES, IDEA, BLOWFISH, RC5, or CAST-128, which support larger key lengths. De- 
spite the increasing use of these stronger alternatives to DES, there also continues 
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to be a large number of foreign products offering the use of DES, though we expect 
to see a decrease in coming years. 

We identified at least 123 foreign cryptographic products that use Triple DES, 
which employs either two traditional DES keys, for an effective key length of 112 
bits, or three DES keys, for an effective key length of 168 bits. 

We identified at least 54 foreign crypto^aphic products that use the International 
Data Encryption Algorithm (IDEA), a Swiss-developed symmetric block cipher with 
a 128-bit key length [Lai 1990, Lai 1991]. 

We identified at least 36 foreign cryptographic products that use BLOWFISH, a 
symmetric block cipher developed by Bruce Schneier with a variable key length 
ranging from 32 to 448 bits [Schneier 1993, Schneier 1994]. Many of these products 
appear to use BLOWFISH with the full 448-bit key length. 

We identified at least 2 foreign cryptographic products that use RC5, a symmetric 
block cipher developed by Ron Rivest (one of the RSA inventors) with a variable 
length key up to 2040 bits [Rivest 1996]. 

We identified at least 12 foreign cryptographic products that use CAST-128, a 
symmetric block cipher developed by Carlisle Adams of Entrust Technologies in 
Canada with a variable length key up to 128 bits [Adams 1997]. 
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GROWING DEVELOPMENT OF FOREIGN ENCRYPTION PRODUCTS 
IN THE FACE OF U. S. EXPORT REGULATIONS 


Foreign Cryptographic Survey Results (as of May 1999i 

The updated survey identified a total of 805 foreign cryptographic products from 35 
countries: 


Argentina 

Australia 

Austria 

Belgium 

Canada 

Czech Republic 

Denmark 

Estonia 

Finland 

France 

Germany 

Greece 

Hong Kong 

Iceland 

India 

Iran 

Ireland 

Isle Of Man 

Israel 

Italy 

Japan 

Mexico 

Netherlands 

New Zealand 

Norway 

Poland 

Romania 

Russia 

South Africa 

South Korea 

Spain 

Sweden 

Switzerland 

Turkey 

UK 




At least 167 of these foreign cryptographic products implement "strong" 
cryptographic algorithms, including Triple DES, IDEA, BLOWFISH, RC5, or CAST. 

We identified 512 foreign cryptography companies (including distributors as well as 
manufacturers) in at least 67 countries. 


Table 1. Foreign cryptographic products survey results 


7 
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3.3.2 New Countries and Growth Countries for Cryptographic Products 

The update identified six new countries producing cryptographic products. The 
countries that have started producing encryption products since December 1997 are 
Estonia, Iceland, Isle of Man, Romania, South Korea, and Turkey. 

We also noticed a large increase in the number of products produced by certain 
countries, such as the United Kingdom, which jumped by 20 products from 119 to 
139, and Germany, which jumped from 76 products to 104. 

Japan also showed a large increase, jumping from 6 products in the December 
1997 survey to 18 products in the updated survey. Most of the new products come 
from Mitsubishi Electronic Corporation, which has introduced a number of hard- 
ware and software cryptographic products that make use of a Japanese ci^p- 
tographic algorithm known as MISTY, which uses a 128-bit key as well as Triple 
DES [Matsui 1996, MISTY]. 

Mexico also increased, from a single “freeware” product in the December 1997 sur- 
vey to six products in the updated survey, due to the discovery of five new commer- 
cial cryptographic products from Seguridata Privada S.A de C.V., which is described 
in greater detail in Section 4. 
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Figure 2. Growing numbers of foreign cryptographic products and companies 
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3.3.3 Growing Numbers of Foreign Products & Companies 

The TIS Survey was initiated in April 1993 and conducted on an ongoing basis 
through December 1997. Figure 2 depicts the evolution of the survey in terms of 
the increasing numbers of foreign cryptographic products and companies (manufac- 
turers and distributors) identified each year of the survey effort and after the recent 
update. Overall, there clearly continues to be increasing and expanding development 
of foreign cryptographic Products. 

3.3.4 Quality of Foreign Cryptographic Products 

NAI Labs has obtained a number of foreign cryptographic products over the life 
of the survey effort. The products were all purchased via routine channels, either 
directly from the foreign manufacturer, a foreign distributor, or an U.S. distributor. 
We have also downloaded a large number of foreign cryptographic products over the 
Internet via the World Wide Web. 

The quality of cryptographic products varies greatly both within and outside the 
U.S. We have encountered poor quality products both within and outside the U.S., 
and we have encountered good quality products both within and outside the U.S. 
On average, the quality of foreign and U.S. products is comparable. There are a 
number of very good foreign encryption products that are quite competitive in 
strength, standards compliance, and functionality. We highlight some of these in the 
next section. 

4. SOME COMPETITORS TO U.S. PRODUCTS EMPLOYING CRYPTOGRAPHY 

After updating the cryptography product database, based on prior surveys and 
new information, we searched out information on the foreign manufacturers that 
were representative competitors to U.S. manufacturers of software and hardware 
with encryption capabilities. We did this by examining traditional sources such as 
business magazines, major newspapers, and trade publications; interviewing indus- 
try leaders and security professionals; and using various Web-based search methods 
[Lexis-Nexis, ABI/Inform, FirstSearch, Gale] to find appropriate combinations of 
keywords (encryption, U.S., US, United States, foreign, overseas, regulation, export, 
export controls). 

We identified a substantial number of foreign companies that are developing a 
number of products with strong encryption and have as customers a number of large 
foreign or multinational corporations. We sketch nine of these in this section to pro- 
vide a representative sampling. All but one already provide strong encryption (as 
defined in Section 3.3.1). 

Some of the material below has references to cryptographic algorithms, protocols, 
and other computer science terms that may not be familiar to some readers. More 
information on these can generally be found in [Stallings 1999] and [Rivest 1978]. 

Baltimore Technologies Pic, IRELAND ! UNITED KINGDOM /AUSTRALIA 

Baltimore Technologies pic. was formed by the merger in January 1999 of Zergo 
Holdings pic. (UK) and Baltimore Technologies Ltd. (Ireland). Its regional head- 
quarters are located in Dublin (Ireland), Plano (Texas) and Sydney (Australia). Cor- 
porate headquarters are located in London, UK [Baltimore 1999a]. 

Baltimore develops and markets security products and services for a wide range 
of e-commerce and enterprise applications. Its products include Public Key infra- 
structure (PKI) systems, cryptographic toolkits, security applications and hardware 
cryptographic devices. 

Baltimore’s security toolkits include PKI-Plus, ECS Desktop, C/SSL, J/SSL, SMT, 
CST, and J/CRYPTO. The PKI-Plus toolkit provides clients with the functionality 
to support a Public Key Infrastructure and provides encryption capabilities with full 
strength DES, Triple DES and IDEA. ECS Desktop is a high level GSS toolkit that 
supports 64-bit DES and 128-bit Triple DES. C/SSL and J/SSL are cryptographic 
toolkits for developing SSL 3.0 applications written in C and Java respectively. C/ 
SSL supports 56-bit DES and 128-bit Triple DES, IDEA and RC4. J/SSL supports 
56-bit DES, and 128-bit Triple DES and RC4. SMT (Secure Messaging Toolkit) pro- 
vides developers the ability to add security to messaging (email) applications. The 
encryption algorithms supported are 56-bit DES, 128-bit Triple DES, and 40-bit, 64 
bit, and 128-bit RC2. CST (Crypto Systems Toolkit) is a set of cryptographic compo- 
nents enabling developers to build strong information security systems. It contains 
implementations of a variety of encryption algorithms including DES, Triple DES 
with up to 192 bits key length, IDEA, BSA4, BSA5, RC2, RC4, up to 2048-bit RSA, 
and DSA. J/CRYTPO is a cryptographic class library for Java applications that sup- 
ports 56-bit DES, 112-bit Triple DES, and RC4 encryption, and 512-, 1024-, and 
2048-bit RSA key exchange and digital signature. 
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Security application solutions include FormSecure, MailSecure, MailSecure Enter- 
prise, and WebSecure. Of its security applications, FormSecure which provides PKI 
security for Web browser forms uses DES and triple-DES encryption with 128-hit 
keys. MailSecure provides secure email for MS Outlook, Exchange and Eudora using 
128-bit DES, Triple DES and RC2. MailSecure Enterprise, a centralized secure 
email product, provides encryption with 128-hit Triple DES. WebSecure enhances 
web server to browser communication in eases where export versions of specific 
browsers are limited to 40 bits of encryption by diverting all web traffic to its Java 
programs that use 128-hit RC4 encryption. 

Baltimore’s hardware cryptographic device, HS4000-Assure provides a security 
kernel for high speed servers and workstations and features 56-bit DES and 112- 
bit Triple DES data encryption, and up to 4096-bit RSA key exchange and digital 
signatures. 

“Baltimore has customers in over forty countries including some of the world’s 
leading financial, e-commerce, telecommunications companies and government agen- 
cies. Customers include: ABN-AMRO Bank, Australian Tax Office, Bank of England, 
Bank of Ireland, Belgacom, Digital Equipment, European Commission, Home Office 
(UK), IBM, Lehman Brothers, Ministry of Defense (UK), NatWest, NIST (USA), 
PTT Post (Netherlands), S.W.I.F.T., Tradelink (Hong Kong), TradeVan (Malaysia) 
and VISA International” [Baltimore 1999a] . 

“Baltimore has also formed alliances with other major global providers of informa- 
tion security technology and services, including ActivCard, Axent Technologies, 
CDC, Certicom, Chrysalis, CISCO, Dascom, DataKey, GemPlus, Gradient, Hewlett- 
Packard, ICL, Isocor, Kyberpass, Logica, Netscape, Oracle, Racal and Valicert” [Bal- 
timore 1999a]. 

Brokat Infosystems AG, GERMANY 

BROKAT was founded in 1994. Its headquarters is in Stuttgart, Germany. Sub- 
sidiaries are located in Great Britain, Ireland, Luxembourg, Austria, Switzerland, 
Singapore, Australia, South Africa and the United States. Brokat develops secure 
solutions for Internet-banking, Internet-brokerage and Internet-payment by allow- 
ing companies through the use of its products to develop secure electronic banking 
and electronic commerce solutions [Brokat 1999a]. Its main product, Brokat Twister, 
is a software package enabling secure electronic business solutions and provides 
Java-based 128-bit encryption. Brokat’s X-PRESSO Security Gateway provides 
Twister with a secure Internet channel, using strong SSL encryption. It supports 
128-bit IDEA and Triple DES for data encryption, and RSA up to 2048 bits for key 
exchange and digital signatures. 

In its press release of May 19, 1999 Brokat claims a sales increase of 125% in 
the third quarter of 1998/1999 compared to the same quarter in the previous year 
[Brokat 1999b]. 

More than 100 financial service companies use Twister. Brokat customers include 
Deutsche Bank, Bank 24, Allianz, Fortis Bank Luxembourg the Zurich 
Kantonalbank, Hypo Bank of Munich, and The Swiss National Telephone Company 
[Andrews 1997]. 

Brokat’s “Product Partners” include AOL Bertelsmann Online, Corporate Inter- 
active, Inc., Intershop Communications, Micrologica, Netscape Communications, 
Giesecke & Devrient, and Concord-Eracom. 

Check Point Software Technologies Ltd., ISRAEL 

“Check Point provides secure enterprise networking solutions through an inte- 
grated architecture that includes network security, traffic control and IP address 
management. Check Point solutions are aimed at enabling customers to implement 
centralized policy-based management with enterprise-wide distributed deployment” 
[Check Point 1999a]. 

“The company’s integrated architecture includes network security (FireWall-1, 
VPN-1, Open Security Manager and Provider-1), traffic control (EloodGate-1 and 
ConnectControl) and IP address management (Meta IP)” [Check Point 1999b]. 

“Check Point products protect and manage the corporate assets of the majority 
of Fortune 100 companies and other leading companies and government agencies 
across the globe. As of April 1999, the company had more than 30,000 registered 
customers with over 77,000 installations worldwide and 17,000 -h networks world- 
wide using its VPN solution. The Meta IP and Meta DNS products had some 15,000 
installations worldwide” [Check Point 1999b]. 

The company’s international headquarters are located in Ramat-Gan, Israel. 
International subsidiaries are located in the United Kingdom, France, Germany, 
Japan, Singapore, Australia, the Middle East and Canada. U.S. subsidiaries are lo- 
cated in northern and southern California, Colorado, Georgia, Illinois, Massachu- 
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setts, Michigan, New York, North Carolina, Philadelphia, Texas, Virginia and Wash- 
ington. 

In an April 19, 1999 press release, Check Point announced that “revenues for the 
first quarter ending March 31 were $43,772,000 compared to $31,956,000 for the 
same period in 1998, an increase of 37%. Net income for the quarter was 
$19,703,000, or $0.49 per share compared to net income of $15,149,000, or $0.39 per 
share in the same quarter in 1998, an increase of 30% in net income and 26% in 
net income per share. Check Point experienced growth across all geographic regions, 
particularly in Japan. Revenues from the U.S. accounted for 45% of revenues, Eu- 
rope 34% and Rest of World 21%. In addition, revenues from Technical Services 
reached 17% in the first quarter. OEM revenues, including those from Nokia and 
Sun Microsystems, represented 11% of revenues” [Check Point 1999c] . 

Based on figures from 1997, Check Point is the leading vendor of firewalls with 
a 23% share in the firewall market — a revenue of $83 million in firewall sales 
[Inter@ctive Week 1998]. 

Checkpoint’s firewall solution, Firewall-1 provides a comprehensive set of security 
solutions which includes VPN through the support of encryption algorithms such as 
40- and 56-bit DES, 168-bit Triple DES, 40-bit RC4, 40- and 128-bit CAST, and 48- 
bit FWZ-1 (FWZ-1 is Check Point’s 48-bit exportable proprietary symmetric 
encryption algorithm). 

Check Point’s VPN solution products include VPN-1 Gateway, VPN-1 
SecuRemote, VPN-1 Accelorator Card, and VPN-1 Appliance. VPN-1 Gateway prod- 
ucts are software solutions that provide encryption supporting the following algo- 
rithms: 40- and 56-bit DES, 168-bit Triple DES, 40-bit RC4, 40- and 128-bit CAST, 
and 48-bit FWZ-1. VPN-1 SecurRemote provides VPN support for remote and mo- 
bile users. It supports 40- and 56-bit DES, 168-bit Triple DES, 40-bit CAST, and 
48-bit FWZ-1. VPN-1 Accelorator Card provides hardware-based data encryption 
using 56-bit DES and 168-bit Triple DES. VPN-1 Appliance uses 40-and 56-bit 
DES, 40-bit RC4, and 48-bit FWZ-1. 

Check Point’s Open Platform for Secure Enterprise Connectivity (OPSEC) is an 
alliance that delivers the industry’s first enterprise-wide security framework. 
OPSEC provides a single framework that integrates and manages all aspects of se- 
cure enterprise networking through an open, extensible management framework Via 
the OPSEC Alliance, Check Point Software’s products seamlessly integrate with 
“best-of-breed” products from more than 200 leading industry partners. A complete 
listing of OPSEC partners can be found at http://www.opsec.coni/. 

Data Fellows Ltd., FINLAND 

“Data Fellows develops, markets and supports data security products for cor- 
porate computer networks. Its products include anti-virus software, and data secu- 
rity and cryptography software. Its main offices are in San Jose, California and 
Espoo, Finland, and it has branch offices as well as corporate partners, VARs and 
other distributors in over 80 countries around the world. Its products have been 
translated into over 20 languages” [Data Fellows 1999a]. 

Data Fellows’ F-Secure cryptography products are a family of cryptography soft- 
ware to protect the integrity and confidentiality of sensitive information. Its family 
of products include F-Secure VPN-i-, F-Secure VPN, F-Secure SSH, F-Secure 
FileCrypto, and F-Secure Desktop. F-Secure VPN-h provides IPSec protocol based se- 
curity for secure networking between remote offices, business partners and travel- 
ling salesmen using 56-bit DES, 168-bit Triple DES, 128-bit Blowfish, and 128-bit 
CAST. F-Secure VPN (Virtual Private Network) is an SSH security protocol based 
solution for pure LAN-to-LAN encryption using a variety of user selectable algo- 
rithms including Triple DES, Blowfish, RSA, and IDEA (optional). The symmetric 
algorithms all use at least 128 bits. F-Secure SSH Server provides users with secure 
login connections, file transfer, Xll, and TCP/IP connections over untrusted net- 
works using 128-bit Triple DES and 128-bit IDEA. F-Secure SSH Terminal&Tunnel 
provides the user with secure login connections over untrusted networks and to cre- 
ate local proxy servers for remote TCP/IP services. F-Secure SSH Tunnel&Terminal 
products support the following cryptographic algorithms: 56-bit DES, 168-bit Triple 
DES, 128-bit IDEA, 128-bit Blowfish, 256-bit Twofish, and 128-bit ARCFour (an 
RC4 compatible stream cipher). F-Secure FileCrypto is a product that encrypts and 
decrypts files using 256-bit Blowfish and 168-bit Triple DES. F-Secure Desktop pro- 
vides encryption and decryption of files, directories, and Windows 95/NT 4.0 folders 
using 256-bit Blowfish and 168-bit DES. 

“The Company’s net sales have doubled annually since it was founded in 1988. 
Turnover has reached $3.3 million, $7.6 million and $14.1 million in the fiscal years 
1995, 1996 and 1997, respectively” [Data Fellows 1999a]. 
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“Data Fellows has customers in more than 100 countries. These include many of 
the world’s largest industrial corporations and best-known telecommunications com- 
panies; major international airlines; several European governments, post offices and 
defense forces; and several of the world’s largest banks. Customers include NASA, 
the US Air Force, the US Department of Defense Medical branch, the US Naval 
Warfare Center, the San Diego Supercomputer Center, Lawrence-Livermore Na- 
tional Laboratory, IBM, Unisys, Siemens-Nixdorf, EDS, Cisco, Nokia, Sonera (for- 
merly Telecom Einland), UUNet Technologies, Boeing, Bell Atlantic, and MCI” 
[Data Eellows 1999a]. 

Entrust Technologies, CANADA 

Entrust is a Canadian company that spun off from Northern Telecom (Nortel). It 
develops cryptographic products in Canada and exports them from there. It now has 
offices across the United States, Canada, the United Kingdom, Switzerland, Ger- 
many, and Japan. 

Entrust develops products for trusted electronic transactions. Its products include 
solutions for secure Internet transactions including digital certificate services and 
public-key infrastructures (PKI) products. 

Entrust Eile Toolkit delivers a set of application programming interfaces (APIs) 
to add encryption and digital signatures to store-and-forward (email, e-forms) appli- 
cations. It Supports DES, Triple DES, RSA and RC2. Entrust Session Toolkit is de- 
signed for third-party applications that need to protect data communications in real- 
time. It supports DES, Triple DES, and RC2. Entrust/Solo is a product that provides 
data encryption, digital signature and data compression functionality for the desk- 
top and e-mail using DES, Triple DES and CAST. 

The company’s more than 800 corporate customers include J.P. Morgan, the 
Salomon Smith Barney unit of Citigroup, ScotiaBank, S.W.I.F.T, FedEx, the (Cana- 
dian Government and several U.S. government agencies. 

Entrust’s industry partners include development partners such as Hewlett-Pack- 
ard, Network Associates, Oracle, Nortel Networks and others, 25 channel partners 
including Hewlett-Packard and Compaq OEM Partners: IBM, Tandem, Check Point 
and others, specifiers and referral partners such as PriceWaterhouse Coopers, 
Deloitte & Touche; KPMG Peat Marwick, Ernst & Young, and others, and service 
provider partners such as BCE Emergis, EDS, Scotiabank and others [Entrust 
1999]. 

Radguard, ISRAEL 

RADGUARD was founded in 1994 as a member of the RAD Group of data commu- 
nications companies. Privately held, the company is backed by American and foreign 
corporate investors. The company’s international headquarters are located in Tel 
Aviv, Israel; its US headquarters are in Mahwah, NJ. 

Radguard is a pioneer and leader in the secure Virtual Private Network (VPN) 
market. Incorporating security technologies and industry standards into high-per- 
formance hardware architectures, Radguard provides solutions to Internet-based 
virtual private networking, secure non-Internet transmission, safe Internet 
connectivity and client encryption. Its VPN and network security products include 
cIPRO, CryptoWall, and NetCryptor. cIPRO is an Internet-working security system 
for VPNs. The cIPRO family uses DES and up to 168-bit Triple DES for encryption. 
CryptoWall is an encrypting firewall that supports subnet-to-subnet security in 
TCP/IP environments. It supports DES for data encryption and RSA for key ex- 
change and digital signature. NetCryptor is a hardware-based encryption device 
that employs DES. 

Customers include NTT Data, a subsidiary of Japan’s Nippon Telephone and Tele- 
graph (NTT), Germany’s major car makers and component suppliers including 
BMW, Bosch, BEHR, Drexlmaier, Audi, Ereudenberg, DaimlerChrysler, Volkswagen 
and Hella. 

Seguridata Privada S.A de C.V., MEXICO 

SeguriDATA is a Mexican company founded in 1996 with the purpose of partici- 
pating actively in the construction of security standards in Mexico and Latin Amer- 
ica by means of integration in committees, with products in electronic security. It 
has offices in Peru and Spain as well as Mexico. The company provides confiden- 
tiality and authenticity of electronic documents with applications to electronic com- 
merce, financial transactions and confidential systems of communications. 

Its products include SeguriDOC, SeguriEDIEACT, SeguriLIB, SeguriPROXY, and 
SeguriTELNET. SeguriDOC offers Triple DES for confidentiality of archived data. 
SeguriEDIFACT provides security for EDI communications using Triple DES. 
SeguriPROXY provides security between web server and web browser sessions using 
128-bit RC4. 
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Sophos Pic., UK 

Sophos Pic was founded in 1980 and moved into data security in 1985, producing 
software and hardware for data encryption, authentication and secure erasure. Its 
virus detection product has positioned the company as a leading supplier of enter- 
prise-wide virus protection tools. Subsidiaries include Sophos Pty Ltd, Australia, es- 
tablished in April 1999, Sophos Pic, France, established in May 1998, Sophos 
GmbH, Germany established in October 1997, and Sophos Inc, USA, a wholly-owned 
subsidiary of Sophos Pic based in Massachusetts, USA [Sophos 1999]. Sophos data 
security products include D-Fence 4 HMG, D-Fence 4 SPA, E-DES, and PUBLIC. 
D-FENCE HMG is a disk authorization and encryption system for HMG, providing 
encryption and authentication of floppy and hard disks using SEVERN BRIDGE, a 
U.K. Government standard algorithm. D-FENCE SPA is a data encryption system 
for PCs and laptops using SPA (Sophos Proprietary Algorithm) for encryption of 
floppy and hard disks. SPA is a 64-bit block cipher with 64-bit keys. E-DES and 
PUBLIC are products used for secure file storage and transmission. E-DES encrypts 
files using DES or SPA, while PUBLIC encrypts files using 512-bit RSA or MDH 
in combination with DES or SPA. 

Customers include government, financial institutions and multi-national corpora- 
tions. 

Utimaco Safeware AG, GERMANY 

Utimaco Safeware AG has subsidiaries in Belgium, France, Finland, Great Brit- 
ain, Austria, the Netherlands, Norway, Sweden and Switzerland and additional dis- 
tribution partners (Value-Added-Resellers) in almost all European countries, in the 
USA, Australia, Asia and in South Africa. Utimaco also has strategic alliances with 
IBM Deutschland Informationssysteme GmbH, SIEMENS AG and Toshiba Europe. 

Utimaco develops IT security solutions for the areas of mobile/desktop security 
(authentication, access control, encryption), network security (authentication, 
encryption), e-commerce security (digital signature, encryption) and security infra- 
structure (smart card reader). 

“Utimaco has three development centres. The SafeGuard product line focussing on 
the “Mobile/Desktop Security” area is developed in Munich, Germany. The develop- 
ment of the SafeGuard product family for “Network Security” and the smart card 
technology and card reader family CardMan is done in Linz, Austria. The third de- 
velopment centre near Brussels (Holsbeck), Belgium, is responsible for the Safe- 
Guard “E-Commerce Security” product line (digital signatures, e-mail security) and 
the CriptWare technology (high-performance implementations of standardized basis- 
crypto algorithms and interfaces)” [Utimaco 1999a]. 

Products for mobile/desktop security include SafeGuard Easy, and SafeGuard 
Desktop. SafeGuard Easy is a security program for the online-encryption of hard 
disks and diskettes. It operates with the encryption algorithms Blowfish, STEALTH, 
56-bit DES and 128-bit IDEA to guarantee the confidential storage of sensitive data. 
SafeGuard Desktop is a security solution for OS/2 operating systems offering boot 
and virus protection as well as user logon, and allows online encryption of hard 
disks and floppies with DES, IDEA, STEALTH, Blowfish, and XOR. 

Utimaco network security products include SafeGuard LAN Crypt and SafeGuard 
VPN. SafeGuard LAN Crypt provides protection of selected files against access by 
persons who are physically capable of accessing the data carrier. The solution guar- 
antees the security of encrypted data through a key length of 128 bits and globally 
accepted, strong algorithms such as IDEA. SafeGuard VPN provides Virtual Private 
Networks with secure data transmission using 168-bit Triple DES and 128-bit 
IDEA. 

Utimaco’s E-commerce security products include CryptWare Board, CryptWare 
Server, Cryptware Toolkit, and SafeWare Sign&Crypt. Cryptware Board comes with 
a DES chip, but allows any other encryption algorithm to be easily installed. The 
CryptWare Server is a cryptographic black box designed for applications with high 
security requirements and/or high-speed cryptographic capabilities. It employs DES 
and 1024-bit RSA. The CryptWare Toolkit is a library that provides all necessary 
cryptographic and administrative functions to build secure electronic messaging sys- 
tems. It supports RSA, Triple DES, IDEA, RIPEMD160, MD5, and SHA-1. 
SafeWare Sign&Crypt offers signing and verification of electronic documents. It can 
provide encryption with 128-bit IDEA. 

The breakdown of Utimaco Group sales by industry in the last business year, 
1997/98, is as follows: 29.7% for public institutions, 29.3% for banks, 26.8% for in- 
dustry and commerce and 14.1% for insurance companies. In the last business year 
57 percent of sales were made outside Germany. Its customers include Bertelsmann 
(Gutersloh) Colonia Nordstern Versicherungsmanagement AG (Cologne), Daimler- 
Benz Aerospace AG (Kiel), Dresdner Bank, Eduscho GmbH (Bremen), Frankfurter 
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Sparkasse (Frankfurt), Goldwell GmbH (Darmstadt), Innenministerium Mecklen- 
burg-Vorpommern (Schwerin), Landesamt fur Datenverarbeitung, (Potsdam), Motor- 
ola GmbH (Taunusstein), Otto Versand International GmbH (Hamburg), 
Oberverwaltungsgericht Thuringen (Weimar), Price Waterhouse (Frankfurt), Police 
Forces (Belgium), Isaserver (Belgium), State Police (Belgium), Unisys for 
Christelijke Mutualiteiten (Belgium), The European Commission (Belgium and Lux- 
embourg), Danfoss A/S (Denmark), ICL Pathway Ltd. (Great Britain), Robert Flem- 
ing & Co. Ltd. (Great Britain), Standard Chartered Bank (Great Britain), Conseil 
de I Union Europeenne (Luxembourg), KPN Telecom (The Netherlands), ABN 
AMRO Bank N.V. (The Netherlands), Nycomed Amersham Group (Norway), Schwei- 
zer Post (Switzerland), DDJ, and Justizdirektion des Kantons Zurich (Switzerland). 

5. FOREIGN MARKETING USE OF U.S. EXPORT CONTROLS 


5.1 Introduction 

As Under Secretary of Commerce William A. Reinsch noted in recent Congres- 
sional testimony, “encryption remains a hotly debated issue. The Administration 
continues to support a balanced approach that considers privacy and commerce as 
well as protecting important law enforcement and national security equities. We 
have been consulting closely with industry and its customers to develop a policy that 
provides that balance in a way that also reflects the evolving realities of the market 
place” [Reinsch 1999]. As the Commerce Department struggles to craft and finely 
tune export regulations to satisfy these objectives, many foreign cryptography man- 
ufacturers are citing these regulations as reasons for their prospects to not “buy 
American”. Even foreign governments sometimes overtly use these regulations. For 
example, “In a letter sent [in January 1999] to India’s Central Vigilance Commis- 
sion (CVC) — an intelligence agency comparable to the United States’ National Secu- 
rity Agency — the Indian Defense Research and Development Organization said the 
limits the U.S. government places on exported encryption products render the prod- 
ucts too weak for reliable use. The CVC responded that it might mandate that all 
Indian financial institutions huy security software from India” [Dunlap 1999]. 

5.2 Advertising Related to Cryptographic Controls 

Trade magazines, industry reports, and news articles were searched for consumer 
preference data, including checklists, ease of use” and “best buy” ratings, etc., to try 
to find anecdotal justification or rebuttal of the claim that consumers strongly prefer 
U.S. -made encryption products and systems incorporating U.S. -made encryption, as 
asserted, for example, in [Ernst 1999]. 

We did find a reference to a U.S. government study that acknowledged that “in 
many countries surveyed, exportable U.S. encryption products are perceived to be 
of unsatisfactory quality” [Commerce/NSA 1996] (date given as June 1995, page ES- 
3, possibly a draft, in [Olbeter 1998]}. We also found some information from compa- 
nies that claimed or implied that their products are more secure and/or easier to 
use than American products burdened by U.S. export controls. Descriptions of the 
various export control regimes are found in [Baker 1998, Koops 1999, and GILC 
1998]. 

Examples of the statements of foreign companies are given below. 

Brokat Infosy stems AG (Germany) 

Brokat, on its web page [Brokat 1999c] discusses “Secure Communication using 
128-bit encryption” and states that “In comparison to other solutions, X-AGENT al- 
lows very secure communication. Highly sensitive information can be exchanged 
using this consultation tool. All data is encrypted with the 128-bit Twister security 
component. Even so-called ’weak’ Internet browsers, which only use a 40-bit 
encryption due to US government export restrictions can be ’topped up’ accordingly 
for the duration of the session.” 

Baltimore Technologies pic. (Ireland ! United Kingdom ! Australia) 

Baltimore Technologies states that WebSecure, a product designed to provide se- 
cure web server to browser communication is useful because “US export restrictions 
dictate that most web servers and browsers cannot perform 128-bit encryption for 
security. Instead, export versions of browsers like Internet Explorer and Netscape 
Navigator and export versions of web servers like Netscape Enterprise Server and 
Microsoft Internet Information Server are limited to 40 bits of encryption, which is 
not secure enough for most applications” [Baltimore 1999b]. 
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Cybernetica (Estonia) 

Cybernetica advertises . . full strength cryptographic security with long keys 
and no backdoors” and its Web pages for their products prominently feature this 
selling point. 
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[Cybernetica 1999a] [Cybernetica 1999b] 

In their Frequently Asked Questions list on the Web, they go on to celebrate the 
differences between their product and U.S. products: 

• Strong crypto? What algorithms are supported? And what key lengths? 

IDEA. Triple DES. Blowfish. RSA. DifEe-Hellman. The end user has the oppor- 
tunity of selecting the algorithms he trusts. And, if the user so requires, support 
for further algorithms may be added. You can use as long keys as the algorithms 
you have selected allow you to. There are no “political” restrictions on key lengths 
to be used in the Privador system. 

• What about back doors, key recovery ete? 

There are no back doors built into the Privador system. We can — and will — prove 
It if so required. 

• How eome you don’t care about export restrictions? 

Because there are none. The Privador System is entirely developed by 
Cybernetica, the first private-law R&D institution in Estonia. The laws of the Re- 
public of Estonia allow us to export strong cryptographic technologies to almost any 
country in the world. 

Utimaco Safeware AG (Germany) 

On its web site, Utimaco states that [Utimaco 1999b] “. . . As a German manu- 
facturer, Utimaco guarantees that no national key depositing requirements (ES- 
CROW) exist which could jeopardize the security of the solution . . .” 
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Figure 3. Homepage of Utimaco Safeware AG 

Note Utimaco’s home page, illustrated in Figure 3. It is user-friendly for speakers 
of a number of languages. It makes the point that Utimaco has representatives in 
a number of European countries. If the user clicks on his or her country (either on 
the map or on the country abbreviation in the vertical list), he or she is transported 
to a page in their native language that further presents Utimaco and its products 
and services. As an example. Figure 4 shows the homepage of Utimaco Norway that 
the user is transported to when Norway is selected from the map. 
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Figure 4. Homepage of IJtimaco Safeware Norge AS 

Data Fellows Corporation (Finland) 

Data Fellows makes the readers of its web page aware of U.S. export restrictions 
and states that its products are designed with “much more security” than U.S. prod- 
ucts: 

“. . . The encryption technology used in the F-Secure products has been devel- 
oped in Europe and thus does not fall under the US ITAR export regulations. 
F-Secure products can be used in every country where encryption is legal, in- 
cluding the United States of America . . .” [Data Fellows 1999b] 

“. . . F-Secure FileCrypto uses well-known fast block cipher algorithms. You 
can choose either three-key 3DES or Blowfish. Both algorithms have been ana- 
lyzed by the world’s leading cryptographers. They are known to be strong and 
safe. These algorithms provide security with a minimum of 168-bit keys. They 
provide much more security than DES-based or U.S. products that fall under 
U.S. ITAR export restrictions.” [Data Fellow 1999c]. 

JCP Computer Services (United Kingdom) 

JCP takes on U.S. products directly based on export controls [JCP 1999]: 

“Many companies are using or considering using implementations of these al- 
gorithms which originate in the US. The US government prohibits export of 
strong cryptographic tools, and, except under specific conditions, only permits 
the export of weak implementations. These ’crippled’ cryptographic tools do not 
provide sufficient protection to allow Internet e-commerce and communications 
to proceed securely. In an amateur attack on a US export-strength cryp- 
tographic routine, the key was broken in 56 hours. And such times will decrease 
markedly as computer processing power continues to improve. 

“JCP has developed full strength implementations outside of the US using in- 
dustry proven standard algorithms. JCP are the leading company outside the 
US producing high performance cryptographic tools in Java, which has become 
the Internet’s standard programming language. The product provides a set of 
packages that implement specific cryptography algorithms for use within any 
Internet application.” 
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SSH Communications Security (Finland) 

SSH states on their web site [SSH 1999] that “The software from SSH is free from 
strict US export restrictions” as one of “six good reasons why SSH IPSEC Express 
is the best choise (sic)”; it goes on “IPSEC is supposed to be an international stand- 
ard. However, because of export restrictions in different countries, (sic) SSH is one 
of the few to deliver full standards compliance and strong security virtually any- 
where in the world.” 

RPK Security, Inc. (New Zealand, Switzerland, United Kingdom) 

RPK advertises on its web site of its flagship RPK Encryptonite Engine [RPK 
1999], “Developed outside the U.S., the RPK Encryptonite Engine is not subject to 
US government regulations. It is available with strong encryption worldwide, with 
dramatically better performance at significantly lower implementation cost com- 
pared with competing technologies.” Reading further on its web site, one finds that 
“RPK’s cryptographic research and product development is based in New Zealand, 
Switzerland and the U.K, with worldwide sales and marketing operations in San 
Francisco, CA.” 


6. STAND AHDS AND THEIR INFLUENCE 

6.1 Pervasiveness of Standards 

From the material above, one can see that companies vie to have encryption prod- 
ucts that meet certain accepted worldwide standards. If the products do not, they 
often will not interoperate successfully with other computer systems. This section 
highlights two important international standards efforts. Note the contribution of 
encryption expertise from all over the world to both. 

6.1.1 IP sec 

Today’s widespread and pervasive use of the Internet has accentuated the need 
for security for the underlying Internet Protocol (IP). The IETF has developed the 
IP Security (IPsec) protocol as an integral element of internet security. IPsec is a 
proposed standard Internet protocol designed to provide cryptographic-based secu- 
rity, including authentication, integrity, and (optional) confidentiality services. 
While the use of IPsec is currently optional, its use will be mandatory for the next 
version of the Internet Protocol, IPv6 [IPsec]. 

As a result of the dramatic impact IPsec will have on improving the security of 
the Internet, there has been enormous interest in developing implementations of 
IPsec. This interest has extended throughout the entire world, due to the global na- 
ture of the Internet and need for cryptographic-based security. Many freely avail- 
able and commercial implementations of IPsec are available or are under develop- 
ment. Ted Ts’o of MIT, co-chair of the IETF IPsec Working Group, maintains a list 
of companies implementing (or planning to implement) IPsec. The list currently 
cites implementations from 49 companies around the world. At least nine of the 
companies are from outside the U.S. There is also one effort, the KAME Project, 
being conducted by a combination of several Japanese companies (Fujitsu, Hitachi, 
IIJ Research Laboratory, NEC, Toshiba, and Yokogawa) [KAME 1999]. 

Another important aspect of IPsec is that it supports encrypted “tunnels”, where- 
by an IP packet is completely encrypted as it travels from one point of a network 
to another. Encrypted tunnels are one of the primary means for establishing Virtual 
Private Networks, or VPNs, which emulate private networks over public, shared IP 
networks, such as the Internet. 

IPsec is designed to be independent of any specific cryptographic algorithms; it 
can support several, but it will require one strong algorithm, Triple DES; the rel- 
atively weak DES will be permitted but not required. Specifications have also been 
developed for the use of the IDEA, BLOWFISH, RC5, and CAST strong cryp- 
tographic algorithms with long key lengths for IPsec [Stallings 1999]. 

6.1.2 Advanced Encryption Standard (AES) 

In 1997, NIST solicited algorithms for the Advanced Encryption Standard (AES), 
to replace the Data Encryption Standard (DES) [FIPS PUB 46-2] as a government 
encryption standard. Individuals and companies from eleven different foreign coun- 
tries proposed 10 out of the 15 candidate algorithms submitted to NIST [Smid 
1998]: 
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Countiy 

Candidate Algorithm 

Submittor{s) 


L0KI97 

Lawrie Brown, Josef Pieprzyk, Jennifer Seberry 
Joan Daemon, Vincenf Rijmen 

Enfrust Technologies, Inc. 

Outerbridge, Knudsen 


RIJNDAEL 


CAST-256 


DEAL 

Costa Rica 

FROG 

TecApro Internacional S.A. 

France 

DFC 

Cenfre National pour la Recherche 
Scientifique (CNRS) 


MAGENTA 


Japan 

E2 

Nippon Telegraph and Telephone Corporation 
(NH) 

Korea 

CRYPTON 

Future Systems, Inc. 

USA 

HPC 

Rich Schroeppel 


MARS 

IBM 


RC6 

RSA Laboratories 


SAFER+ 

Cylink Corporation 


TWOEISH 

Bruce Schneier, John Kelsey, Doug Whiting, 
David Wagner, Chris Hall, Niels Ferguson 

UK/Israel/Norway 

SERPENT 

Ross Anderson, Eli Biham, Lars Knudsen 


“Of the five submissions likely to be chosen for the next round, about half will 
be from outside the U.S. It is very possible that the next U.S. government 
encryption standard will have been designed outside the U.S.” [Schneier 1999]. 

7. CONCLUSIONS 

Based on the research described above, we arrive at two conclusions: 

1. Foreign development of cryptographic products is not only continuing but is ex- 
panding to additional countries. 

2. Communications-related cryptography is experiencing high growth, especially 
in electronic mail, VPN, and IPsec products. 

7.1 Foreign Development of Cryptography Continues to Grow 

There are now 805 cryptography products produced in 35 countries outside the 
United States. In at least 67 countries, 512 foreign manufacturers and distributors 
are involved. In just three weeks, with limited resources, we identified 149 foreign 
cryptographic products new to market since the December 1997 TIS survey. 

It is difficult to gauge how many additional products would be identified, given 
sufficient time and resources, but it is safe to anticipate that we would identify 
many more products from the countries within the database, and possibly several 
additional countries. 

Development of cryptographic products in nations around the world is increasing. 
Moreover, as additional nations seize opportunities in e-commerce, nation-centric is- 
lands of competence develop, as do ultimately international markets. Often these is- 
lands of competence are developed by bright young entrepreneurs and computer sci- 
entists who have trained elsewhere (often the United States) and then play key 
roles in jump-starting their native countries’ e-commerce. This fits nicely in the the- 
ory of technoglobalization, as espoused by Robert Reich, discussed more in Section 
8 . 

7.2 Communications-Related Cryptography Leads Storage Cryptography 

Within the 149 new products we discovered, communications-related products, as 
opposed to data storage encryption, were predominant. It appears that the efforts 
of the Internet Engineering Task Force (IETF) to provide standardized protocols for 
the Internet has facilitated the development of solutions and products to commu- 
nications related problems. We conjecture that this and the expansion of e-commerce 
have resulted in a high growth of communications related cryptographic products 
such as those for electronic mail, VPNs, and IPsec. 

Ipsec’s support of encrypted tunnels will greatly improve security for private, en- 
terprise-based networks. As the comfort level of users (and organizations) grows, 
and as the potential and actual gains of (consumer to business and business to busi- 
ness) e-commerce become apparent, there will be increased worldwide need for com- 
munications-related cryptography. 
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8. FUTURE RESEARCH 

To date there have been only a few efforts to attempt to quantify the impact of 
regulatory measures on the international cryptographic market [Olbeter 1998, BSA 

1998, CDT 1997], The TIS survey and this effort to update the foreign products in- 
ventory of the database have been one of the few ways to quantitatively assess the 
state of the market over time. As noted in Section 7, we saw developments both in 
countries already producing cryptographic products and expansion into new coun- 
tries that did not have cryptographic product development as of December 1997. We 
saw a number of firms become multinational. 

In the face of continuing U.S. export controls on encryption products, technology, 
and services, some American companies have financed the creation or growth of for- 
eign cryptographic firms. We have seen some U.S. companies (e.g., PGP, RSA, Sun) 
buy some foreign expertise, leaving it in place (rather than bringing the talent back 
to the United States). With this expertise offshore, the relatively stringent U.S. ex- 
port controls for cryptographic products can be avoided, since products can be 
shipped from countries with less stringent controls. All of these facts indicate that 
both nations and companies see opportunities in this rapidly changing technological 
market, and it could be argued that globalization plays a major role in future 
growth for this market. 

This is not a case of the technology slipping away from the United States. The 
technological expertise is already available in many places around the world. In- 
deed, we noted earlier that the majority of submissions for the Advanced Encryption 
Standard (AES) have been designed outside the United States. This may be simply 
an example of the general thesis of economists David Mowery and Nathan Rosen- 
berg [Mowery 1989], who argue that, in general, foreign firms’ technological sophis- 
tication has caught up with that of the United States in many cases. In those cases, 
they reason: 

“Since foreign firms now are more technologically sophisticated and technology 
is more internationally mobile, however, the competitive advantages that ac- 
crued in the past from basic research and a strong knowledge base have been 
eroded. Faster international transfer of new technologies is undercutting a 
major source of America’s postwar superiority in high-technology markets.” (p. 
218) 

Our empirical product data could be combined with economic measures and eco- 
nomic theories to better explain why we are seeing the observed growth in 
encryption products and companies around the world, and to examine the effects of 
Internet growth, e-commerce development, and regulatory actions on the inter- 
national cryptographic market over time. 

Porter [1990], for example, tests his theses by using quantitative measures from 
several nations, by industrial sector. His national economic profiles include primary 
goods, machinery, and specialty inputs and services data for each industrial sector. 
Given appropriate quantitative measures, similar work could be done for the inter- 
national cryptography market. 

As the global information-based economy continues to grow, and as the nature of 
industrial research and development continues to shift from nation-centric to inter- 
national collaboration, we will continue to witness more rapid technological develop- 
ment and global economic growth. We should be able to put together previous eco- 
nomic work [Duysters 1996] with material already available on the information 
technology sector [Mowery 1996, Rosenberg [1992] and the data in this study to bet- 
ter understand the changes we are seeing in the global marketplace and thus be 
able to more easily adjust national laws for a global economy. 
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Appendices 

A. CALL FOE INFORMATION 

Please forward this message to others who are interested on the topic. A WWW- 
version of this message can be found at http://www.seas.gwu Xedu/seas/institutes/ 
cpi/cryptosurveylcall4info.html 

Non-U.S. Cryptographic Product Survey Call for Information 

The George Washington University and NAI Labs, The Security Research Divi- 
sion of Network Associates (formerly the research division of Trusted Information 
Systems) are conducting a survey to identify cryptographic products manufactured 
outside the United States and are examining product specifications to assess their 
functionality and security. 

We are soliciting input from those with knowledge of cryptographic products 
through the use of this survey form. If you know of cryptographic products that are 
manufactured in countries other than the United States, please complete this form 
and submit it to the Cyberspace Policy Institute (CPI) NO LATER THAN TUES- 
DAY MAY 18, 1999. You may submit this form via email to cpiWseas.gwu.edu or 
ftix at (202) 994-5506 in Washington D.C. 

In addition, we ask you to send or post this survey to anyone or place that would 
have knowledge of cryptographic products. Inquiries about this survey may be made 
to the Cyberspace Policy Institute at cpi@seas.gwu.edu or (202) 994-5512. This sur- 
vey may also be found on the CPI Web site at http://www.seas.gwu.edu/seas/insti- 
tutes/cpi. 

Your cooperation is greatly appreciated. 

Professor Lance J. Hoffman, The George Washington University David Balenson, 
NAI Labs, The Security Research Division of Network Associates 

NON-U.S. CRYPTOGRAPHIC PRODUCT SURVEY 


DATE: 

COMPLETED BY: 
Your Name: 

Phone: 
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E-mail: 

NAME AND ADDRESS OF MANUFACTURER 

Name: 

Address: 

City: 

State: 

Zip Code: 

Country: 

URL: 

MANUFACTURER CONTACT INFORMATION 

Name: 

Phone: 

E-mail: 

Title: 

FAX: 

800#: 


PRODUCT DESCRIPTION 

Name (including model and version information): 

Product-specific URL: 

Is it software-only, hardware-only, or a software/hardware combination? 

What does it encrypt (e.g., disk, file, communications, FAX, voice, magnetic tape, 
electronic mail)? 

If embedded software or hardware, what platforms does it support (e.g., PC, Mac, 
UNIX workstation, IBM mainframe), else if standalone hardware, what interfaces 
does it support (RS-232, telephone, V.24, V.35)? 

If software, is it in the form of a kit or as an end-user program, else if hardware, 
what is the embodiment (e.g., chip, board, PCMCIA card, smart card, box, phone)? 

What algorithms does it employ for data encryption (including proprietary algo- 
rithms and key length)? 

If applicable, what algorithms does it employ for key management (including pro- 
prietary algorithms and key length)? 

If applicable, what algorithms does it employ for data authentication (including 
proprietary algorithms)? 

How is the product sold or distributed (e.g., store front, mail order, telephone 
order. World Wide Web, anonymous ftp over the Internet)? 

If applicable, what is the quantity one purchase price? 

(Optional) Approximate number of units sold or distributed? 

(Optional) Approximate date product was first available? 

Please provide a list of the names and relationships of any associated companies 
(e.g., parent company, sister company, distributors). Include full address and contact 
name, title, phone, FAX, and e-mail address. Other information: 

Please Provide a Copy of Any Relevant Product Literature. 

Send completed forms and product literature via e-mail to cpi@seas.gwu.edu or 
via fcix to the Cyberspace Policy Institute at 202-994-5506 in Washington D.C. 

Thank You! 

This survey is part of an ongoing worldwide study of cryptographic products start- 
ed in April 1994 by Trusted Information Systems and Dr. Lance J. Hoffman of the 
George Washington University. The December 1997 summary results of the survey 
are available on the World Wide Web at http://www.nai.com/products/security/ 
tis research/cryptolCrypt surv.asp. 

B. SUMMARY LISTING OF FOREIGN CRYPTOGRAPHIC PRODUCTS 

The following table is a summary listing of the foreign products currently con- 
tained in the cryptographic product database. We cannot guarantee the accuracy 
and completeness of this information. In many cases, products may support addi- 
tional platforms or interfaces, encrypt additional types of information, include addi- 
tional embodiments, or support additional encryption algorithms. Additional infor- 
mation will be available on the NAI Labs Crypto Products Survey Web page at 
http://www.nai.com/products/security/tis research/crypto/crypt surv.asp. 



103 


COUNTRY COMPANY 

ARGENTINA DaiaCrypt 

ARGENTINA Ne^nel S A 

AUSTRALIA AftCtei SouiSimanai^ 

AUSTRALIA BafiksiaTecfiAdogyPly Ltd 

AiUSTRALIA Banksia Technology Ply- Lid. 

AUSTRALIA Bannsia Technology Ply Lid 

AUSTRALIA Banksia TechnotogyPty ua 

AUSTRALIA Carfeor. BaieU Sdtwar* 
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AUSTRALIA Cipne' Research Laooraiones 

.AUSTRALIA CrVDUO^ P<V Ltd. 

AUSTRALIA OytHsoR Ply Lid. 

AUSTRALIA Cyfeanim Ply L!0 

AUSTRALIA Cybanim Ply Lie 

AUSTRALIA Cybamiin Ply Lid 

AUSTRALIA Cybaoinn Pty Lid 

AUSTRALIA DataCryp! 

AUSTRALIA DataCryp! 

AUSTPLALlA DataCnypl 

AUSTRALIA ErSCOrm Ply Lit! 

AUSTRALIA EracomPlyLlS 

AUSTRALIA Eracom Ply Lid. 

AUSTRALIA Eracom Ply Llfl. 

AUSTRALIA Eradom Ply Lid 

AUSTRALIA G'scom Pty Lid. 

AUSTRALIA EraComPlyHa. 

.AUSTRALIA Eracom Ptv Ltd. 

AUSTRALIA EracomPtylid 

AUSTRALIA Erscom Ply LIS. 

AUSTRALIA EracomPlyLIO 

AUSTRALIA Erscom Pty ltd 

AUSTRALIA EracOirNPly US. 

AUSTRALIA Eracom Ply Lid 

AUSTRALI.A Eracom Pty Lid. 

AUSTRALIA EracomPlyLtO 

AUSTRALIA Erscom Ply Ltd 

AUSTRALIA Enc You-19 

AUSTRALIA Enc VoLihg 

AUSTRALIA Enc Young 

AUSTRALIA MicrolOCl' 

AUSTRALIA Mosaic KlCOStneS 

AUSTRALIA MosaiCinauSiheS 

AUSTRALIA NdtSale 
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AUSTRALIA Nick Payne 

AUSTRALIA ftandais 
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AUSTRALIA Secure NetwoiSi Solutions 

AUSTRALIA Seevre Network Soiu((C«ts 

AUSTRALIA Secure Network Solutions 

AUSTRALIA Secure Nsiwofk SotuLcnS 

AUSTRALIA Secure Network SoMiGos 

AUSTRALIA Secure Network Solutions 

AUSTRALIA Secure Network Solulions 

AUSTRALIA Secure Network Solutions 


PRODUCT PLATFORMS/ TYPE ENCRYPTS EMBODtMENT ENCALG 

INTEfWFCES 

Software rnpiimeniat-on ot 003 SW GENERAL PGM DES 

Cripiography 

OSD S>612 Data Security Device TTL HW GENEPLAL CHIP DES 

XJiOCi SW FILE PGM PROP 

OtaOel V54 HW COMMS BOX DES 

Pro 14^ V32 HW COMMS BOX DES 

Pro3rt V34 HW COMMS BOX DES 

PrccarfiS4 V.34 HW COMMS PCMCIA DES 

CryplSlream OS2 SW FiLS PGM DES 

Zipstream Secu-e OS2 SW FILE PGM DES 


SSLesy 
SSlfto 
OES32V1 02 
DESF v1 4 
LUC 2 03 
SiFRvC.O 
LetterCrypi 
NoteCiyct 
Pa ssCrypl 

CP 70M inleSigent Encryolion 
Adaptor 

CP500 Slave Encryption Adactor 
CPROV 

eSA 7000 PCI Hardware Crypto 
Adapior 

Encrytstion Setviees API 
ERA 2007 Line Encrvptor 
ERA 4007 Line Encryplor 
JPROV 

NICE Slave Encryption Aclapt«« 

PC vault 

PCA5M tnieiligent Ericryption 
Adaptor 

PCE Slave Encrypicn Asaplor 
Pr oteaSNA 

RSA API 
^CL.r* 

SECPac 

Senes 90 Eracom Security Modufe 
lESM) 

CryplLSS 

feryps 

Kinetic Access 
Touch Lock 


00s 

DOS 

PC 

PC 

PC 

PC 

PC 

PC 

DOS 

PCI 


SOURIS 

PCI 

QS2 

RS232 

SOURIS 

PC 

DCS 

ISA 

ISA. 

ERACOM 

BOARDS 

0S2 

X25 

X.iS 

RS232 


W1N95 


Touch Net « 

EXE Guardian ANY 

N-Sure Access 1000 WK 

Nlrusi WIN 

Cryctexi WIN35 

Megacrypt H-gn Speed DaU RS422V 1 1 

Encrypiof 

BlOCk-ll 

RSA BSAFE SSL-C v1 .0 WIN32 

FAXSAPE telephone 

GSA tOOO Dupie« Wmi Scramoisr RADIO 
GSA13O0 FUOIO 

Guardian-E Data Encryplor RS232 

^ardiBO'EM Encryplor Mcdem flS232 

Guardian-EMP Data Encryptor H5232 

Guardiarn-EP Data ehcryolor RS232 

Megacjypt High Speed Data fiS422/V.1 1 

Encryptor 


SW SSL PGM 

SW FTP PGM 

SW GENERAL KIT 

SW GENERAL PGM 

SW GENERAL PGM 

SW GENERAL PGM 

SW COMMS PGM 

SW FILE PGM 

SW FILE PGM 

HW GENERAL BOARD 

HW GENERAL BOARD 

HW GENERAL BOARD 

HW GENERAL BOARD 

SW GENERAL tCIT 

MW COMMS BOX 

HW COMMS BOX 

HW GENERAL BOARD 

HW GENERAL BOARD 

SW DISK POM 

HW GENERAL BOARD 

HW GENERAL BOARD 

SW/HW COMMS BOARD 

SW GENERAL PGM 

HW COMMS BOARD 

HW COMMS BOARD 

HW COMMS SOX 

SW OENERAl PGM 

SW FILE PGM 

SW general kit 

SW FILE 

SW DISK PGM 

SW/HW FILE 

SW PFSDGRAMS KIT 

HW COMMS BOARD 

SW FILE KIT 

SW FILE PGM 


SW SSL KIT 

HW VOICE BOX 

HW voice BOARD 

HW VOICE BOARD 

HW COMMS BOX 

HW COMMS BOX 

HW COMMS BOX 

HW COMMS BOX 

HW COMMS BOX 
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OES 

CANADA 

Entrust Technologies 

Enirust/Hanage' 

MAC 

sw 

COMMS 

PGM 

PROF 

CANADA 

Emrusi TecAnolceies 

EniiuisySeKoo Teoto! 

MAC 

sw 

COMMS 

KIT 

OES 

CANADA 

Enifusi Teovtofogies 

Eniiwst'Soio 

W1N95 

sw 

DISK 

PGM 

CAST 

CANADA 

Freestyle Softwa-e, me, 

Avalanche Java Crypiogractvc 

TooiKi: 


sw 

GENERAL 

KIT 

OES 

CANADA 

Qaneaii 

GanoailUA Plus 

PC 

sw 

COMMS 

PGM 

PROP 

CANADA 

Ha* Systems )nc. 

Securanie 

Wi.v 

sw 

email 

PGM 

OES 

CANADA 

inforooTecmctogies. inc. 

NETSSC 


sw 




CANADA 

Isolation Sysierns 

irlooYpi Desktop 

W1M05 

sw 

COMMS 

PGM 

DES 

CANADA 

isoiaSon Systems 

irt«rypl Entensnse 

ENET 


COMMS 

BOX 

DES 

CANADA 

tsoiason Systems 

WjK/ypi £«ireme PCI 

DOS 


COMMS 

BOARD 

OES 

CANADA 

tsoiaiion Systems 

Irtoiryysl Server 

WINTNT 

sw 

COMMS 

PCM 

oes 

CANADA 

isoiason Sysiems 

infocr^&M 

IVINS5 

sw 

VPN 

PG.M 

C£S 

CANADA 

fsoialioo Systems 

iSAC noo 

PC 

HW 

COMMS 

eOARO 

OES 

CAJ<AOA 

Isolation Sysiems 

tSAC 1500 

-OSHI8A 

SW/HW 

COMMS 

BOARD 

DES 

CANADA 

isoiaiion Systems 

(SAC 2200 

PC 

MW 

COMMS 

BOARD 

oes 

CANADA 

Isolation Systen>s 

ISAC 2400 

PC 

MW 

COMMS 

BOARD 

DES 

CANADA 

isolafton Sysiems 

ISAC 2S00 

PC 

HW 

COMMS 

BOARD 

OES 

CANADA 

isoiasofl Sysierrts 

ISAC 3200 

PC 

HW 

COMMS 

BOARD 

DES 

CANADA 

Isolation Systems 

ISAC 3500 

PC 

HW 

COMMS 

BOARD 

CES 

CAH/^A 

isoacon Sysiems 

ISAC 4200 

MAC 

HW 

COMMS 

BOARD 

C£S 

CAN<«>A 

isoakon Sysiems 

IS6R 


HW 

COMMS 



CANADA 

laoaoon Sysiems 

IS£2t00 

PC 

HW 

COMMS 

BOARD 

DES 

Canada 

Isolaion Sysiems 

JSFE Frame Relay 

METWORK 

SW/HW 

COMMS 

PGM 

Cf.S 

CANADA 

tsoaSon Sysiems 

ISPEA* 


HW 

COMMS 


ces 

CANADA 

Isdanon Sysiems 

!SPc/R System Packet 

Encryptermouwf) 

NETWORK 

SWOtW 

COMMS 

BOARD 

CES 

CANADA 

isoaton Sysiems 

ISP£/SA (StarKJatone Versiot) 

NETWORK 

HW 

COMMS 


CES 

CANADA 

Iso-alion Syslernj 

ISTM ilsdatiori System Tacte 
Management) 

NETWORK 





CANADA 

isoaiiort Systems 

iSX&U 

X25 





CANADA 

Kyoeioass Cotporaliw 

KyDCGWSS 

WIN 

SW 

COMMS 

PGM 

DES 


3 ? 
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CANADA 

Micro Temous. -nc. 

Ternpoi-CyP 

DOS 

SW/HW 


PGM 


CANADA 

Milkjvrty NelwcrtcsCcwBOfStKiri 

Black Hole 

ANV 

SW 

COMMS 

PGM 


CANADA 

MPR TelecA 

77 



SATELLITE 



CANADA 

Northern Te'ecoTi Canada IW. 

PackjR Seohiv Overlay 

ANY 

HW 

CCMMS 

BOX 

DES 


(Data Comm Products] 

(PDSOi 






CANADA 

Northerr Te'ecc«' Secure NerwPcs 

OMS WX &»ai3» (C^i^ CSW>D 






CANADA 

Octathorp iridustnes 

Canne Mad 

VifP432 

SW 

EMAIL 

PGM 

SLOWFiSM 

CANADA 

OicSc Dais 

Data Eftcr^Ttiwt (KB) 

PC 

HW 

FILE 

BOARD 

DES 

CANADA 

01uc*i Data 

FdeSafe Llghi 

VWN 

SW 

FILE 

PGM 


CANADA 

OkioK Data 

RA(VM»X*»C 

PQ 


EDI 

SMART CARO 

DES 

CANADA 

OkioA Data 

RAC/M Open Ctypdo^^tic Serw 

OS2 

HW 

EDI 


DEC 

CANADA 

OVuoi'. Data 

Secure Server for Netware 

NOL^LL 

sw«w 

FILE 

WK 

OES 

CANADA 

Queen's Univ'ersiiy 

FlSAcNp 


HW 


CHIP 

RSA 

CANADA 

Soaniific Atlantic 




Pay TV 


PROP 

CANADA 

Secure Compuima Ourpciraiioo 

BordeiWare Firewall Server 

PC 

SW/HW 

CCMMS 


DES 

CANADA 

Secure SON Terminals 

Hex 






CANADA 

Secured Comunications he, (SC') 

Session 

PC 

HW 

FILE 

PCMCIA 

OES 

CANADA 

S>e«3 Wreiess 

COPD (Cellular Ogil^ Pa<»:^ ^3} 

V.32 


EMAIL 


RSA 

CANADA 

Sierra Wreiws 

PoeketPtos 




BOX 

CDPO 

CANADA 

Siiams Technology 

^pfoveK CAO 

V«N 

SW 

FILE 

PGM 

OES 

CANADA 

&ianis Technology 

Approvran Oesilop 

WN 

SW 

FILE 

PGM 

=ROP 

CANADA 

Silanis Technology 

Approveti TooHul 

mN 

SW 

GENERAL 

KIT 

DES 

CANADA 

■The Emjma Group 

EMn3MA-7 Erwrypoon 


SW 

FILE 

PGM 

PROP 

CANADA 

TimeSteo Corporation 

PERMIT 1010 PC LAN Security 

pc 

SwrHW 

CCMMS 

PGM 

OES 



Module 






CANADA 

TimeSieo Corporation 

PERMIT 1011 PC UMi Sesarify iSA 

pc 

SW/HW 

COMMS 

PGM 

OES 



Cara 






CANADA 

TimeSt^ Corpwatian 

PERMIT 1012 PC LAN Secun? PCI 

pc 

SW/HV/ 

CCMMS 

PGM 

DES 



CarB 






CANADA 

"irneStes Corporation 

PERMIT lOlSPCLAN Security 


SW/HW 

CCMMS 

PGM 

DES 



Card 






CANADA 

TimeSteo Corporation 

PERMIT 1060 Secure Elhemet 

WIN 

SW/HW 

COMMS 

BOX 

JDfcS 

CANADA 

TimeSlep Corporalian 

PERMIT 2010 PC Security 

PC 

SW/HW 

CCMMS 

BOARD 

OES 



Module 






CANADA 

TimeStep Corporation 

PERMIT 2016 PC Remote SecuMy 


SW 

CCMMS 

PGM 

06S 

CANADA 

■r.meSi«3 Conoc'aiioo 

PERMIT 3010 

PC 

swmw 

DISK 

BOARD 

OES 

CANADA 

TtmeSieo Corporation 

PERMIT 9010 SNfilS 

PC 

SW/HW 

ipsec 


OES 

CANADA 

TimeStep Corporalrori 

PERMIT 9300 

PC 

SW/HW 

COMMS 

PGM 


CANADA 

TimeSKC Corpwaiion 

PERMIT S/loken 

PC 


GENERAL 

PCMCIA 


CANADA 

Timesteo Corporation 

PERMIT Security Gateway 

NETWORK 

HW 

COMMS 

BOX 


CANADA 

■TtmeSiep Corporation 

PERMIT Security fcVcioGiate 

ENET 

HW 

COMMS 

BOX 


CANADA 

'imeSisp Corporation 

PERMIT SVPN 


HW 

VPN 



CANADA 

"uriera SemiconrtwclO' Corp. 

CAJ0C03A 

TT;. 


GENERAL 

CHIP 

DE® 

CANADA 

Tufiira SemicofiPuctorCorp 

CA20C03AAM OES ettcryolior. 





OES 



Processor 






CANADA 

Tundra Serniconduelor Coro, 

CA20C03W 



GENERAL 

CHIP 

OES 

CANADA 

Tunsr* SenKeonSutror Corp, 


TTL 


GENERAL 

CHIP 

OES 

CANADA 

"undra SerfticontJuelor Coro. 

NM830 

PC 

SW/HW 

FILE 

PGM 


CANADA 

Tundra SerniconOuctor Corp. 

Pwrr« LAN Encryjilion mcBules tor 








LAN adapters 






CANADA 

Tiirrtni SerwnoftductorCwp- 

Transfmsinn Access Plaitorm (TAP) 

RS232 

HW 


BOX 

OES 

CANADA 

Xceti iniamaiional Inc. 

Sentry CA 

WlffNT 

swmw 

KEYS 


RSA 

CANADA 

Xeain imemationai he. 

Sentry RA 

WINTNT 

SW/MW 

KEYS 


RSA 

CANADA 

Zoomit Corporalion 

Remote Link Plus 

PC 

SW 

COMMS 


RSA, 

CZECH 

ANril Software 

Access Coniro. SLiPeivisof 

DOS 

SW 

FILE 

PGM 


REPUBLIC 








CZECH 

Aiwit Software 

Fort Knox 


SW 

DISK 

PGM 


Rgpuauc 








CZECH 

Dac'osspoi s ro 

ProiectOS 

W1N95 

SW 

FILE 

PGM 

PROP 

REPUaUC 








CZECH 

Oecros spot, s r.o. 

ProtectNT 

WIN/NT 

SW 

FILE 

PGM 

PROP 

REPueuc 








CZECH 

Decfos spot sr.o. 

Secuniy Card 


HW 




REPUBLIC 








OENWARK 

Asrtus Untveraity, Comouter 

VICTOR 

ttl 

HW 

GENERAL 

CHIP 

RSA 


Science Deparimeni 







DENMARK 

CrycloMaihic A«S 

63C3 SIS 

6303MP 

SW 

GENERAL 

PGM 

SiS 

DENMARK 

CrycioMathic AfS 

8051 DCS 

INTCI 0031 

SW 

GENERAL 

PGM 

DCS 

DENMARK 

CryttoMalhi: AS 

DES lo,' IBM.GTO 

MF 

SW 


KIT 

DES 

DENMARK 

CrypioWaihc AS 

OES Kernel 

PC 

SW 

GENERAL 

KIT 

DES 

DENMARK 

CrypioMathc AS 

Security Mectiansms 

PC 

SW 

GENERAL 

KIT 

OES 

DENMARK 

CrycioMothic AS 

OSP 6600G OES 

osps«ooon 

SW 

GENERAL 

PGM 

DCS 

DENMARK 

CrwieWaihic AS 

OSP 56000 RSA 

OSPSEODCn 

SW 

GENERAL 

POM 

RSA 

DENMARK 

CryptoMathc AS 

F7f (Pue-tti-Fiie) 

PC 

SW 

FILE 

PGM 

OES 

DENMARK 

CrypioVeinic AS 

Muiiiprecisxyi Kemei 

PC 

SW 

GENERAL 

KIT 

RSA 

DENMARK 

CrjptoMaiAis AS 

PrimeOnnk Uava Tw^di 

JAVA 

SW 

OFNERAl. 

KIT 

OPS 

DENMARK 

Cri^ioMamc AS 

Pfimelf* C Tool BOX 

ccooe 

SW 

GENERAL 

KIT 

DES 

DENMARK 

CryptoMamic AS 

RSA Secoftiy Mecharvisnis 

PC 

SW 

GENERAL 

KIT 

RSA 

DENMARK 

CryptoMathc AS 

Security API 


SW 


KIT 

DES 

DENMARK 

GN Oatacom 

sateMalic Secuniv Module 

ANY 

HW 

COMMS 

BOX 

DES 

DENMARK 

hiei.tech Oiwuwar* 

iCrypt 3JJ 

WIN95 

SW 

FILE 

PGM 

OES 

DENMARK 

KcnvTHinedala 

EOl-SAFE 

PC 

HW 

COMMS 

CHIP 


DENMARK 

iS! Uogic^alBco AS 

03at»L5A4CM3 2030025402 

PC 

HW 

GFHERAL 

CHIP 

OES 

DENMARK 

LSI LoQicrOataco AS 

Oataca LSA4013 203C025402 

TTu 

HW 

GENERAL 

CHIP 

OES 

DENMARK 

Telesec 

TeteseC 

ANY 

SW 

EDI 

KIT 

DES 

ESTONIA 

Cytemetica 

Ptivador SVPN 

ETHERNET 

swmw 

IPSEC 

BOX 

OES 

ESTONIA 

Cybemeiica 

Secure Socket Agem 

VAN95 

SW 

COMMS 

PGM 

3D6S 

PiNlANO 

Aniii LoyKo 

AoDES 

ANY 

SW 

GENERAL 

PGM 

OES 

f-INLAND 

uaiaieiiows lio. 

F-Seaee Commerce 

WIN 

SW 

CCMMS 

PGM 

OES 

FINLAND 

DataieUows Lid. 

F-Seeme Desktop 

WIN 

SW 

FILE 

PGM 

3L0WFISH 

FINLAND 

Dalafeiiows Ltd. 

F-Seewe FiieCrypto 

WW/NT 

SW 

FILE 

PGM 

3DES 

FINUNO 

Datateiiitiws Ltd 

F-SeciiB SSHCkeni 

MAC 

SW 

CCMMS 

PGM 
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FSJLAND tW 

FINLAND Dat3{e)icws LW. 

FINLAND DatafBiloura LW 

FINLAND Datafeltcws LM, 

FINLAND JeliCO, Inc 

FINLAND Jelico, Inc. 

FINLAND Jetico.lnc 


F-Seojfe SSH SsiN'ef UNIX 

F-SecufS SSH TunnstSTermnai MAC 

F-Seoji-e Vifiuai Pnvaie Networt PC 

F-S*<sjreVPN* WINS5 

BestCrypINP WIN95 

BasiCiypi Liie win 

BeslCrypl*- WIN 


FINLAND 

FINLAND 

FINLAND 

FINLAN® 

FRANCE 

FRANCE 

FRANCE 


S9-1 CwnnuneaSiAns Secunfy 

CoovnsjrucstionE Secunty 
SSH Communications Security 
AclivCarfl 
Atlantis 

Bull WoFdwids Inlotmatjon Systems 


LSO6C20 

SSH 

SSH iPSec Ei^essTo«kit 
SSH lSAKh«’A5sMey Tooa«t 
Aai>CaraX9.STc*en 
CSA/X,25 
CPS Log 


MAC 

ANY 

PC 

X.2S 

WK 


SW COMMS 

SW COMMS PGM 

SW VPN PGM 

SW IPSEC PGM 

SW FILE PGM 

SW FILE PGM 

SW/HW FILE PGM 

HW CHIP 

SW GOMH5 PGM 

SW !P^C KD 

SW isaaoap kit 

HW COMMS TOKEN 

SW/HW COMMS BOX 

SW/HW DISK PGM 


3DES 

JOES 

0£S 

BLOWFISH 

DES 

GOST 

28147.69 

GOST28147 

ELGAMAL 

JOES 

3DES 

oes 

PROP 


FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 


inc. 

BiJl WoTOwiOB inltXTnation Systems 
Bull WcnOMde Inlorfrielton Syslens 
CCETT 

CSEE • DiviBon Communicalicn et 
Yifonriataua 

Dassault Automatismes et 
Teiecommunicalions 
Digital Equipment Corp. |DECV 
Pans Researcn Lat> 

Merve Scnauer Consultants 
Hewlett Packa/O Fiance 

LAAS 

Pniiips Communsatlon Systems 

Rast Electronics 
SAGEM 

Anareas Kupnes 

Andreas Muller Software 

Bailer & Huwig 

BioData GmOH 

BicData Gm6H 

SioOsis GmiH 

&0Dst3 GmsM 

BFtCKAT Infnsysterrg AG 

CCI (CorTtpelence Center InformatiK 

GmbH) 

CE Infosys GmbH 
CE Inlosys GmDH 
CE Inlosys GmoH 
CE Inlosys GmbH 
CE Infosys GmbH 
CE infosys GmbH 
CE Infosys GmbH 
CE Infosys GmbH 
CE Infosys GmbH 
CE Infosys GmoH 
CE Infosys GmbH 
CE Infosys GmbH 
Cednc Remarb: 

Ceiticon 

Crmslopn Martin 
CiYCtoSofi GmbH 
CrvtAoSoft GmbH 
CryptoSofi GmbH 
GryptoSoft GmbH 
DaiaSafe 
Data Sale 
DataSale 
DemCom 

OTM Data TeleUarX GmbH 
E2i GmbH 

FAST ComTec GmbH 
GAO 

GIffiS 5 Herweg 
GWCK S. Kania GmoH 
GMD 
GMD 

Interconnect 

Interconnect 

jurgen Meyer, Frank Gadegast 

Karl Htnvig 

KariHuwIg 

K/ypsoKom 

KJVTXOKoni 

X.'jT«cS<om 

k/Yplcrf<sm 
Maiftias KratssHmer 
Roiana Munoiocn 
Siemens VefifSuiicfie 


OptefiMasier 

SecurWara YPN 


RSA chip 

MSC-6K<Gaie Keeper) 

Cryptographic Security Module for 

the HP900Q 

RSA implementations 

P83C852 Sman Card Cry^o 

Cs«f0M«f 

Crypt 11 

TCL Binary Large 
OOiects.exiensioniTci-BlotiX) vl,2 

Louis Cypber LC-i 
B abylon weia ISDN 
Babylon Meia Senai 
Babylon Standard 
BlGFire* 

X'PRESSO Secunty Package 3.0 

CDCrypt 

CrVTitCard 

DawCiypi 

Elkey 

Fasicrypl 

iPCryol 

IPC-So» 

PCi-CryOl 
RSA Smart Card 
RSA-Crypi 
Simo PCUAT 
SuperCrypl 
ASPlCryp 

SSL-M2 telnel 
BiowtSb Deveiopmeti kk 
DES 3 Deveiopmeni Kii 
Enigrtia for Windoius 98 
Enigma for Windows v 3. 1 
ENCRYPT-IT v3 06 
WIND£X!v2 0ilot DOS 
WINDEX! v2 01 tor Windows 
Sleganos 

DiCA 7800 ISON Line Encryptor 

H-Crypt 

MACS 1000 

GH-OES 

CryploEx Security Suite 

SecoOE PEM 

SECUDE-5.0 

Babylon 

BiGArs 

3ECMPEG 

LC-1 FaiVData Encrypiion unii 
LC-1 Voice Encryption Uhl 

K/yptoGuard Modem 

K/yptoGusro K,25 

KrytKoSefvef 

SmarlGusnj 8 

ProCrypl 

Acrypt 

ISDN - Cbannei 


WIN/NT 

ETHERNET 


UNIX 

HP/UX 


TTL 


telephone 

RJ-45 

RJ-45 

iSC»4 

ETHERNET 

JAVA 


WIN32 

PC 

WIN32 

PC 

PCI 

WIN32 

WIN32 

PCMCIA 

WIN32 

WIN32 


UNIX 

COS 

COS 


WiN32 

UNIX 

DOS 

telephone 


DOS 

AMIGA 

WIN95 


SW COMMS PGM DES 

SW/HW VPN BOX OES 


SMART CAFtD DES 


SW GENERAL KIT DES 


HW VOICE 

MW COMMS 

HW COMMS 

HW COMMS 

HW COMMS 

SW SSL 


eox rSa 

BOX 3DE5 
BOX 3DES 
BOX ODES 
SOX 3DES 
KIT tDEA 


SW CDROM 

HW GENERAL 

SW/HW FILE 

HW DISK 

HW GENERAL 

SW/HV/ COMMS 

HW COMMS 

HW GENERAL 

HW COMMS 

SW/HW FILE 

HW GENERAL 

HW GENERAL 

SW FILE 

SW DISK 

SW TELNET 

SW GENERAL 

SW GENERAL 

SW FILE 

SW FILE 

SW FILE 

SW FILE 

SW FILE 

SW FILE 

HW COMMS 

SW 

SW/HW COMMS 


PGM JOES 

PCMCIA DES 

3DES 

BOX OES 

BOARD DES 

PGM 3C«S 

BOX 3f»S 

CHIP 3C«S 

SMART CARD 3065 
PGM 3C«S 

BOARD JOES 

CHIP OES 

PGM BLOWFISH 

DES 

PGM IDEA 

KIT eiOWFiSK 

KIT 30ES 

PGM OES 

PGM OSS 

PGM OES 

PGM PROP 

PGM PROP 

PGM PROP 

SOX OES 

FEAL 

PGM DES 


SW FiLE 

SW BJAl PGM 

SW EMAtt. PGM 

SW GENERAL KIT 

HW COMMS 

SW VIDEO 

HW FAX BOX 

HW VOICE BOX 

HW COMMS SOX 

HW GENERAL BOX 

HW GENERAL BOARD 

SW/HW GENERAL PGM 

SW FILE PGM 

SW FILE PGM 

VOICE 


OES 

0£A 

OES 

DES 

DES 

DES 

RSA 

RSA 

DES 

OES 

DES 

DES 

DES 

PROP 


GERMANY 

GERMANY 

GERMANY 


Siemens-NixdDrI 

Siemens-Nindorf 

Siemens-Nisfloft 


SESAME 

SICUR6 


UNIX 


5W COMMS PGM 

HW CHIP 


DES 

DES 
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GERMANY 

Stemefis-Nijidofi 

Trustee Web 


SWfHW 

COMMS 

PGM 


GERMANY 

SIT 

ComSave SiC4lO 

V.24 

HW 

COMMS 

BOARD 

PROF{FEAL 

GEf»UNV 

T. Biil^Sieir 


DOS 

SW 

FIE 

PGM 

DES 

GERMANY 

GERMANY 

Tsia Versichen/ns 

Tele SecurtSy Timmann GfnbH 4 Co. 

TST ^0 PerfortriMW liW- 

Spec OpKer Terminat 

RADIO 

HW 

COMMS 

BOX 

PROP 

GERMANY 

Tele Security Tinvnann GmEsH 4 Co. 

TST SSSOHarvdyCrvpt 

PRINTER 

HW 

COMMS 

BOX 

PROF 

GERMANY 

Tele Security TtmrTtann GmoH 4 Co. 

TST 3570 PocJtetCTvW 

tei^hane 

HW 

COMMS 

BOX 

PROP 

GERMANY 

Teite Secunly Tirrvriarin GmOH 4 CO 

TST 3677 V0U/Saeen-Oner«ed 


HW 

COMMS 

BOX 

PROP 

GERMANY 

Tele Securiiy Timmann GnoH & Co. 

TST 4043 HP Slaw Speed Modem 
w>tT ericr^on 

PC 

HW 

COMMS 

SOX 

PROP 

GERMANY 

Tele Security Titnmanri GmSH & Co. 

TST 4045 HP Motfem 2.4iCC!^ wftt 
ertcryplion 

PC 

HW 

COMMS 

SOX 

PROP 

GERMANY 

T«Se Sso/niy Tiinmarin GotJM 4 Co. 

TST S500 Cri^O Modem 

PC 

SWfHW 

COMMS 

BOX 

PROP 

GERMANY 

Teie Security Timmarin GmOH 4 Co 

TST 5560 OataCipnerSet 

RS232 

HW 

COMMS 

BOX 

PROP 

GERMANY 

Tele Secunly Timiraori GmaH 4 Co. 

TST 5573 C £^t3 ir^jypw 

PC 


COMMS 

BOX 

PROP 

GERMANY 

Tele Secuniy Timmafifi GmbH 4 Co. 

TST 5573 FiC 


HW 

FAX 


PROP 

GERMANY 

Tele SWMrisy Timmann Gn^H & Co. 

TST 5573 HiC 


HW 

COMMS 

BOX 

PROP 

GERMANY 

Tele Security Timmarm G-moH & Co. 

TST 5573 PC 


HW 

COMMS 

BOX 

PROP 

GERMANY 

Tele Security Timrrieno GmaH 4 Co 

TST 5573 XiC 


HW 

COMMS 

BOX 

• PROP 

GERMANY 

leis Security Timmaon GnyjM 4 Co. 

1 ST 7595 iiTsce encry^ton 

tS^jftone 


VOICE 

BOX 

PROP 

GERMANY 

Tele Security Timmann GmaH 4 Co. 

TST 7610 Secure Office Telephone 

telephcne 

HW 

VOICE 

SOX 

PROP 

GERMANY 

Tele Security Timfrtann GmoH 4 Co. 

TST 76M Mmiaiufe Mihiaty V^e 
Coder 

telephone 

HW 

voice 

BOX 

PROP 

GERMANY 

Tele Security Timmann GmoH 4 Co 

TST 7700 Telepnone vocodw ana 
Modem 

leiepnone 

HW 

VOICE 

BOX 

PROP 

GERMANY 

Tele Security Timmarm GmoH 4 Co. 

TST 6010 Spreadsoectrum Radio 

RS232 

HW 

COMMS 

BOARD 

PROP 

GERMANY 

Tele Seouriiy Timmann GmoH i Co. 

TST 9659 Tew* Owner Module 

TELEX 

HW 

COMMS 

BOARD 

PROP 

GERMANY 

Tele Secunly Ttmrruirm GnYaH S Co 

TST 9700 !NMARSAT*C*enr?ypior 


SWrHW 

COMMS 

BOX 

PROP 

GERMANY 

Telenet Kc/nmuftikatiori Syslemie 

Pile Translei 

IBM/MVS 

svr 

Fl-E 

KIT 

OES 

GERMANY 

Tosrii&a Europe GmOH 

Cr^Card 

PC 

HW 

DISK 

PCMCIA 

DES 

GERMANY 

Uiimaco Saleware AG 

BACK-Guard 

PC 

SW 

DISK 

PGM 

DES 

GERMANY 

Mlimaco SaHware AG 

C.Cnrtit 

PC 

SW 

FIlE 

PGM 

PROP 

GERMANY 

USrrrwco Safewsre AG 

Cryc^ware Board 1 3 


HW 

EMAIL 

BOARD 

DES 

GERMANY 

Utimaco Saleware AG 

Cryptware Server 3 0 


HW 

COMMS 

BOX 

OES 

GERMANY 

uumaco Saiewa'e aG 

Cryptware To<*it 

ANY 

SW 

GENERAL 

KIT 

3DES 

CERMANV 

UhmscO S8l*v.®re AG 

riCTDACS for DOS - Wfindews 

DOS 

SW 

FILE 

PGM 


GERMANY 

Utimaco Saiewore AG 

SAFE-Board 1 

PC 

HW 

DISK 

BOARD 

XOR 

GERMANY 

Ulimaco Saleware AG 

SAFE-Eoatd II 

PC 

HW 

DISK 

BOARD 

DES 

GERMANY 

Ulimacc Saleware AC- 

SAFE-ecard III 

PC 

HVii 

DISK 

BOARD 

OES 

GERMANY 

Uiimaeo Saleware AG 

SAFE-Goate OSTtSO 

PC 

SW 

DISK 

PGM 

DCS 

GERMANY 

Uiimace Saleware AG 

SAFE-Qvaid Rroiessional 3.2C 

PC 

SW 

DISK 

PGM 

DES 

GERMANY 

Uirmaco Saleware AG 

SafeGuard DACS lor Windows 95 

WIN95 

SW 

GENERAL 

POM 


GERMANY 

Utimaco Saleware AG 

SafeGuard Oeskio; 2.i0 

OS2 

SW 

DISK 

PGM 

DES 

GERMANV 

Utimaco Saleware ag 

S^eGtwrdEasy 1 3» 

WIN/NT 

SW 

DISK 

PGM 

DCS 

GERMANY 

Utimaco Saleware AG 

Safeguard Easy 1 13 

wiNgj 

SW 

DISK 

PGM 

OES 

GERMANY 

Ul-maco Safaware AG 

SaWGi^d Easy 2 1 8 

OS2 

SW 

DISK 

PGM 

OES 

GERMANY 

Utimaco Saleware AG 

SafeGuard Easy 2,?4 

DOS 

SW 

DISK 

PGM 

DES 

GERMANY 

Utimaco Saleware AG 

SafeGuard LAN Cr^ 1 C 

WINiNT 


COMMS 

PGM 

DES 

GERMANY 

UlrmacD Ssfewa-e AG 

SafeGuard Professional t lO 

OS2 

SW 

DISK 

POM 

DES 

GERMANY 

Ultmaco Saleware AG 

SafeGuard SignSCiyp' 

W1N35 

SW 

FILE 

PGM 

IDEA 

GERMANY 

Utimaco SaNwa'a ag 

SafeGuard VPN 

UNIX 

SW 

VPN 

PGM 

30E5 

GERMANY 

utimaco Satewa-e AG 

.SIGN-Guanj 

PC 

SW 

EMAIL 

PGM 

OES 

GERMANY 

Held VYerite 

7? 



VOICE 



GREECE 

Jorirv losrimtf.s 

Jfs iPsec 

BSD 

SW 

IPSEC 

PGM 

DES 

HONG KONG 

ROCTEC Emerorisaa, Lid 







NONG KONG 

Techlrend Eftsmeerinc, Ud, fTEt) 

?? 






HONG KONG 

Triple D Lie 

®-8 Secunly Masts' Card 

PC 

SW/HW 

GENERAL 

PGM 

DES 

iCELANO 

Logt Ragoarasori 

CryptomiB Java Paexage 

JAVA 

SW 

FILE 

KIT 


ICELAND 

SoNis rif 

LOUIS Secunly Package 

JAVA 

SW 

COMMS 

PGM 

30ES 

INDIA 

Sitarei Eiecironics Ltd 

Anaiooue Code Encrypuor Umi 

RADIO 


PW 

SOX 


INDIA 

Briarai Eiedrooics Lid 

A27308E Speecri EncrypaonUnil 

RADIO 

HW 

VOICE 

BOX 


INDIA 

CrienaO lolo Tecriootogy 

Cryeiic 

PC 

SW 

FILE 

PGM 

PROP 

IRAN 

Comnumcai'Oris lodusines Group 

ASU-212 Encryption Unit 

RADIO 

HW 

VOICE 

SOX 


IRAN 

Ccmfriuricaftoris indusiries Group 

A6U'311’A£ncrYt)iiori Syslem 

RADIO 

HW 

VOICE 

BOX 


IRAN 

Comrriun.caiioos induswe* Group 

0£U- 104 Ogitai Vc*ce Encryplton 
Unit 

P£Li-4liO Facsimite Encryption Unit 

RADIO 

HW 

VOICE 

BOX 


IRAN 

CommuricaiiQos industries Group 

telephone 

HW 

FAX 

BOX 


IRAN 

Comnumoalions indusines Group 

lEU-3137ttecriorie Encryplion UM 

le'ephorve 

HW 

VOICE 

BOX 


IRAN 

Csmnun cations inousmes Gro-p 

TEU- 620 Tele* EncryWion Unit 

TELEX 

HW 

COMMS 

BOX 


IRELAND 

ATST Network Systems Ireland 

ATST arsfCAH 10 


SW 




IRELAND 

Eufoiogic Systems. Ltd 

Oalacrypi 

SCSI 

HW 

TAPE 

BOX 

PROPfBSA 

IRELAND 

Eijroiogic Systems, lid 

DC-200 


HW 

DISK 

BOX 

8SA 

IRELAND 

Key Excriange iraland UO 

T> 

PC 





IRELAND 

Piioniy Data Systems Lid 

?•> 






IRELAND 

Soamus Sottware Ltd. 

?? 






IRELAND 

IRELAND 

Seicori Soiiware SyiMems Liu, 
Software anc Systems Engirieennfl 
Lid 

Software anc Systems Engineering 
Lid. 

Software anc Systems Engineering 
Ltd. 

Software Systems ErigireenriB Ltd. 

TrvstwMIMe 

WIN3S 

SW 

S/MIME 

PGM 

3DES 

IRELAND 

Trvsied'iNeo Express 

wiygs 

SW 

COMMS 

PGM 


IRELAND 

TrustecT/veo v 2.0 

WTf95 

SW 

COMMS 

PGM 

3DES 

IRELAND 

7? 






IRELAND 

Syslemics Lid. 

Cryptix Cty^ograplwc library far 

Java 3.03 

JAVA 

SW 

GENERAL 

KIT 

oes 

IRELAND 

Sysiertiics Lid. 

CrypH* Java Ciyptographie 
Exienswns 

JAVA 

SW 

GENERAL 

KIT 

OES 

IRELAND 

Systemics Ltd. 

Elbplix 

JAVA 

SW 

GENERAL 

KIT 

ECC 

IRELAND 

Sysiermcs Ltd 

PGP Litwary lo* Pen 

PERL 

SW 

GENERAL 

KIT 

PGP 

ISLE OP MAN 

invTSimai! iritemaiionai Lid. 

wwsimaii V3.1 

VAN 

SW 

EMAIL 

PGM 

RPK 
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iSRAEl. 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALV 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

KOREA 

KOREA 

KOREA 

KOREA 

KOREA 

KOREA 


Alafid’n Kno^iJease Systems. Ltc3. 
Aiaocfin KrcwteOge Sysiems, Lt3. 
Aioomhmic Rssearcn Lio. 
Aigoninmic Researcn l.ia. 
Alaonifimtc Research Li<5. 
Algorithmic Research Ltd. 
Algorithmic Research Lid. 

Atiroo Ltd. 

Atiroo Ud. 

Alirix) Lid. 

Carmel Software Engineering Lid, 
ChecKPoint Software Tcc-inoicigies 
Ltd 

OiecitPQirit Software Technologies 


ASECrypto 

HASP 

CWOKll 

CryptoSafe 

Crytyo^ver 

CrypioSefver 

PrivateWre 

PrivaFite 

PnvsMaft 

PMvaSoft 

INFCLOCK 

PireWaB -1 4.0 


VPN't Acceieratof Card 


Checkpoint Software Technologies VPN-l Apfifisoce 
L!d 

ChscKP&nt Software Technologies VPN-I SecjRemoie 


W1M95 SW FILE 

DOS HW 

DOS SW GENERAL 

HW KEYS 

ETHERNET SW 
EW£f»iET HW GENEfRAL 

ETHERNET SW/HW COMMS 

WIN SW FILE 

vm SW EMAIL 

DOS SW FA>t 

PC SW FILE 

UNIX SWIHW VPN 


KIT DES 

KIT OES 

DES 

SMART CARD 
BOX OES 

PGM DES 

PGM PROP 

PGM PROP 

PGM PROP 

PGM ' PROP 

KIT 30ES 


PCI BUS HW VPN 


BOARD 


OES 


V3S HW 


BOX 


OfS 


V«N9S SW VPN 


PGM 


OES 


Eemeninx Techhiaogjes Lid 
E'emenThx TecnnoioS'es Ltd. 
Ins Software 
Ins Software 
RADGUARO, Ltd 
RADGUARO. Lid 
RADGUARO, HO 
RADGUARO, Lid 
RADGUARO Ltd 
RADGUARO. Lid 
Secure Nenycrv Systems, Ltd 
Secure Netwcrv Systerns. Lid 
Tadiran 
Tadiran 
Tadiran 

Vanguard Secuniy Technoiogn 
Lid 

AUTECSPA 
AMTEC SPA 
AMTECSPA 
AMTEC SPA 
AMTEC SPA 
AMT6C SPA 
CERT-n 
Eel'on Soa 
Eulroh Sos 
Euiron Soa 
EulfOh Spa 
Euiron Spa 
Euiron Spa 

Systems Comrnunicazorii sn 
Systems Commuhtcaaoru $n 
TElSY Eieitroriica e 
Teiecomuhicazioni S,p.A. 
TELSY Eleiirohica e 
Teiecomuhjcaaion) S p,A, 
TELSY Cleitrpnica e 
Teiecomuriicactoni S.p,A 
TELSY Eietirpmca e 
Tsiecomuriicaitohi S,p,A. 
TELSY Eietironiea e 
Teiacorr,unicazicni S,b,a, 

TElSy Eiettrcmica e 
TaiecorruhJcaLioni S p.A 
TELSY Eleiironic* e 
Teiecorr,uhica:iohi S p A, 
TElSy Eieitromca e 
TeiecoiTAjnicajioni S,p,A, 
ADVANCE Co, LW 
Compat inc 
Fujitsu Laos Lid 
MiisgOiyti Etecmc Corporation 
MiisuOtshi Elecirtc Corporation 
MiisuPtsu Electric Carporaijon 
Mitsuuisni Electric Cjrporaiton 
Miisuttshi Eiecific Coivoraiion 
MiisuOtsht Electric Corporation 
Miisupisn Elecinc Carporaiion 
Miisupisni Electnc Coiporaiion 
MusuOiShi Etecinc Corporaiion 
MitsuSisfii Electric Corpctraiiorv 
MiisuOisni Elecinc Ertgmeenng 
Cornpany Ltd 
Nihon R3A 

Nipon Telephone & ‘"eiegraph 
TcshiBa infoimaiion Systems 
(Japan) 

YcKOhama Nanooa! Urvversity 
Future Systems, Inc 
JiranSofl 

Penia Secuniy Systems In-. 
Sene* Techrstfogies Inc Lid 
Sene* Technologies Inc. Lid 
Sencx Technologies Inc. Ud 


POTP Secure FTP 
POTP Secure Mad 
ComKxdt 
inipct 

cfP>o<kenl 

ctffto-DMZ 

cIPfOHQ 

cIPro-VPN 

Cr«itt>Wafl 

NetC-yptOf 

Onty You 

You & Me 

SEC-13 

SEC-15 

SEC-2: 

MailGuardian 

AMTEC SPA Cryotocsrs 
Crypto Device 
Cryptodo* 

Crypt^iie 
CS-S6C 
RSA 512 
STEL 

SmartKey pftjs / GSS 
SmartKey plus Buss ^SS 
SmartLocK BASE 
SmaiiLocx DEFence 
Smart ocit DESrrynwoo 
SmanLoc* “ROfessional 
Secue Desk-Top 
Secure Piup-ih (O' Eudora 
ALLFAX 1030 

Cryptopnone 7000 
Cryptc^^wme 7000 o>us 
Cryptophone 7900 
KDill C 
KV3030 

TXl020CMk HI 
TX2020 C 


WIN 

UNIX 

UNIX 

WIN32 

ETHERNET 

ETHERNET 

ETHERfCT 

ETHERNET 

X.25 

DCS 

DCS 


X.25 

\AftN95 

X.26 

SUNOS 

DOS 

DOS 


SV/ 


DOS 

no-s 

DOS 


TELEPHONE 

TELEPHONE 


HW 


tPSEC 

IPSEC 

IPSEC 

IPSEC 

COMMS 

VPN 

DISK 

CCMMS 


EMAIL 


HW COMMS 

HW CCMMS 

HW CCMMS 

SvmW FILE 

HW tPSEC 

HVy COMMS 

SW COMMS 

SWHW 

SW<HW FILE 

SW DISK 

SW DISK 

SW DISK 

SW DISK 

SW FILE 

EMAIL 


FAX 


COMMS 

COMMS 


KPS Cipher Card 
Pandora 
FjPEMvlO 
CERTMANAGER V 800 
CertMiSTY V.800 
Crypiofae vBOO 
C/ypioS<oii V 60C 
MELWALL A3000-t 
MELWALL H3000-1 
MELWALL PSOOOvEOO 
MELWALL P3000CI 
PowerMwty v.BOO 
TnjsiWeo V 600 
MISmEYPER vBOO . 


MANY 

WIN32 

WIN32 

WIN32 

WIN32 

ETHERNET 

ETHERNET 

WIN32 

WIN95 

WIWNT 

WIN32 

WINAm 


HW 

MW genera:. 

SW EMAIL 

SW' S/MIME 

SW GENERAL 

SW DISK 

SW EMAIL 

HW COMMS 

HW COMMS 

SW COMMS 

SW COMMS 

SW GENERA. 

SW COMMS 

SW/HW KEYS 


RSA Crtp 
Encnypt'on Chip 
Cypher Mail 


HW general 

ANY HW GENERAL 

WtN95 SW EMAIL 


KPSUCARO 

fulureTTCPvAO DOS 

FiieSafe vi 0 PC 

ISSACv 10 ANY 

Assure W^CA WIN.'NT 

Assure X-hler (or WcrKGroop v3.0 WIN 
Assure X-MsHer WIN 


SW COMMS 

SW FILE 

SW' GENERAL 

SW 

SW FILE 

SW FILE 


PGM POTP 

PGM POTP 


PGM 

BOX DES 

BOX 3DES 

BOX 

BOX DES 

BOX OES 

PCMCIA 
PCMCIA 


PGM DES 

SMART CARD RSA 
BOARD RSA 

BOX RSA 

PGM RSA 

BOARD 3DES 

CHIP RSA 

PGM DES 

Kr PROP 

KIT PROP 

PGM PROP 

PCM PROP 

PGM DES 

PGM PROP 

PGM DES 

PGM DES 

BOX PROP 

PROP 

PROP 

BOX PROP 

BOX PROP 

BOX PROP 

BOX PROP 

BOX PROP 


CHIP OES 

PGM OES 

PGM MISTY 1 

PGM MISTY1 

PGM MISTY1 

PGM MISTYI 

BOX MiSTYt 

BOX MISTYI 

POM WiSTYt 

PGM MISTYI 

KJ7 MiSTYt 

PGM MiSTYt 

BOARD MiSTYI 

CHIP RSA 

CHIP 30ES 

PGM 


PGM DES 

PGM 8L0WPISH 

KIT PROP 

PGM RSA 

PGM BLOWFISH 

PGM BLOWFISH 
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KORgA 

SsSfoojn 

xec^eDoc t.o 

lA^ 

sw 

Fits 

PGM 

RCA 

KOREA 

a^Fofvsw 

XectirafiisiS-O 

WU«32 

sw 

EMAIL 

PGM 

RC4 

KOREA 

Sdif-cYum 

XaesraW^ 3-0 

vm 

sw 

COMMS 

PGM 

RC« 

MSXiCO 

S«5UftJa!3 RnvaUs SA 3«C.V. 

SegunOOC 

Wtti 

sw 

FILE 

PGM 

306S 

MEXICO 

S«9i5!i4ata p!i>-atia 5A. de Cv, 

SesuPEWFACT 

-feLVA 

sw 

£0! 

. PGM 

3DES 

MEXICO 

S«^ntiaa PiivacJs S.A. de G.V, 

Se^o'&tB 

CCOOE 

sw 

SENERAL 

k;t 

30fiS 

MEXICO 

SegufidsU Ptj«S3 S.A, de C V- 

Sesofl«^3XY 

V<»N3Z 

sw 

COWMS 

P3M 

RCA 

MEXICO 

Se5>uf<iat8 P<wsda 5-A deCV. 

SataJfi l^LMFT 

WtK32 

sw 

COMMS 

PGM 

RC4 

MEXICO 

TYe Kif^ o! HeeiLs 

Hydronoe {K^} 

DOS 

sw 

DISK 

PGM 

iOSA 

M£Th«RlAfiDS 

Ad tnftnsum Pf-ogmms iAlP-Ni) 

Uij»aC^T^ss« it 

PC 

SVf 

file 

CES 

fiETI^RUNDS 

AKo Blow Sofiw^A 

V^Csi^deR^ 

UAC 

sw 

PW 

PGM • 

fiLOWFrSH 

NEIHERLANOS 

S-V. 

T?>ursksCc¥^ 

wm/fiT 

sw 


PGM 

K-OY/FiSH 

NHTM6RUftf®S 

AacHB.v. 

ThuiWeiSefe 

v/Hmr 

sw 

riL6 

PGM 

a.owrsfi 

NETHERLANCW 

C&nsKKd Sracom NeSertam} &V 

DEAOyjsBToofte 

PC 

sw 

aE>CRAL 

KIT 

OSS 

ICTHERLANOS 

Cooeofti Bfacofn NaUenarKl 8V 

A4uI->-F\mcaontf PC SsaxSy {lAPPSj 

!>a 

PC 

MW 

CENERAL 

BOARD 

OPS 

NeTHERLANDS 

Coftcofd Efaco"' NedefSainJ 8V 

SCOi^ 

PC 

sw 

GENSRAL 

KIT 

DBS 

NSTHERtANDS 

Cwico'd Eracsw Kedertand flU 

SSCNETFCM) 

PC 

SWIHVS' 

DISK 


oes 

NSTMERtANDS 

Conccvd Eracom Nedefiand 8V 

SECNET (HCM) 

PC 

NW 

DISK 

BOARD 

DSS 

NflMEftlANDS 

Cowd Efscw^ N«e«iianfl BV 

S6CN6T(K;m) 

PC 

SW 

DISK 

PGM 

o&s 

NETHERUNOS 

ConcQi-0 Efacom NedertafK) 8V 

SSCKET f Bi-g«J^ 

PC 

HW 

SENERAl 

BOARD 

DES 

NTIHERLANCIS 

Cof!t»-<S ei»c»^ Nsderland SV 

SSOCT MfPS 

PC 

SWIHW 

COMM.S 

PGM 

DES 

W.TH5RiANDS 

C&fsHKd Eracom NcaertaRd SV 

SSCHET PC &^ocS 4.S 

PC 

SW 

DISK 

PGM 


I^THERLASDS 

OsgiCash 

E.iiKOwic cssft sysisifts 






f^THERlAHOS 

iSiSiCssA 

EiecirofYC ^ pa^irafg spi«t>s 






NETHERIANDS 

OijiCash 

Wo- Giart i-120efn‘*pi'ypt6f) 

oos 

SW/HW 

GENBRAi 

PGM 

IXS 

NSTHcRUNOS 

idcaa Datatw BV 

AUtHORIZER 

RSZ32 


COMMS 

BOX 

PROF 

NSXHERtANOS 

Philips Ciypio S.V, 

PFOX203& fat Encrypior 

FAX 

HW 

COMf^ 

SMART CARO 

PROF(f»gh 

eiiO) 

NETHERUNOS 

PMiips Ciypic B V. 

PNVX2ll6Cr?0toS«iWt 

PBX 

HW 

COMMS 

BOX 

NETMERUNOS 

RKilipsCfyplo B.V. 

PnVX 21 15 Secure TelacAoAe 

PSJ32 

HW 

COMMS 

SMART CARD 

PROP<ivsn 

end) 

ESS 

NETHSREANOS 

W-Aps CrypJC B.V, 

W’SxaoBi Data Eisc^aef 

X.25 

HW 

COMMS 

SOX 

NcTHSRUNOS 

Pliiltps Gi^io B.V, 

Viisan 

V.*H©NT 

SWTHW 

PfL£ 

PCMOA 


NETHSRlAMDS 

?ip«n6ui8 

PCCiOOSJi; Oa» cncfYpfeyOs^ 

TTt 

HW 

GENERiU. 

CHIP 

OES 

N-7HER5.ANOS 

RijnenSur® 

PCC IPO HiBti Speafi D£S One 

ra 

HW 

QSNHKAL 

CHIP 

ots 

NEIHERIANOS 

RijnenbufB 

PCC101 

ANY 

HW 

GCNERAi 

CHIP 

DES 

NEXI-IERlAf'OS 

P'jnenlujr® 

PCC20ORSA C*>» 

TTL 


GENERiy. 

CHIP 

RSA 

NETHSRIANOS 

Piinen&uig 

«^G201 

ANY 

HW 

GENERAL 

CHIP 

OES 

NEtWERlAMDS 

YuLp Com.lX'IS'S BV 

Cvsk EnCT¥B!»sr. Umi 






METMSRLANOS 

V«fsp«k & SMiers b.v. 

SacurlO 

ANY 

HW 

COMMS 

. BOARD 

DES 

NETKERUNOS 

Vef^cn & Sealers B.V. 

SecvflOi 

AfiV 

HW 

COMMS 

BOX 

OES 

f^THcREANQS 

Vefspw* S Soeiers B.V , 

SecBfiOn 

ANY 

HW 

COMMS 

BOX 


NETHSRUR03 

Vw^-ack & SMters B-V. 

SeciffiOllt 

ANY 

HW 

COMMS 

BOX 

DES 

NSW2EAIANC 

CESCaffl^iiirnawns Hfl- 

EWaJOOft XL 

T7L 


FAX 


PROP 

NEW ZSAiAND 

CES CsfftnruflicatOYS LW. 

EMeZCOOXr 

TTL 

MW 

VOICE 

PHONE 

PROP 

NSWiSALAMO 

CeSC,v»mg,^ie»iier»»'Lid, 

PiKG'iia'tSaft 

TTL 

HW 

FAX 


PROP 

NEW :EA LAMP 

OSSCwnfruntcsliOPS LiS. 

Piiona <So3nli8.n 

TTL 

HW 

VOICE 


PROP 

N£W2£ALAN0 

Join GilfnOTft 

Flee SiV/.AN 1.00 

L!NL>X 

SW 

COMMS 

PGM 

3Des 

NSW ZEALAND 

lUC EficryBitonTecbnaftigy, LW, 
(LUCENT) 

LCP llirery 

ANY 

SW' 

GENERAL 

KIT 

lUC 

NEW ZEAIANP 

LUC Ertcrypifon retfwcaog^, Lie. 
auCEMT) 

Reii'' GyliTaflft 

sw 

PC 

5W 

FILE 

PGM 

LUC 

NEW ZGAIAMP 

Crypir* 


SW 

OENcRAL 

KIT 

tsse 

NOTgS> 


NEW ZEALAND 

P«ef (jowann 

HPACKArehWrO.TB 

PC 

sw 

FILE 

PGM 

MOC 

NEW ZEAUND 

Peter Ovimsfln 

Sacara File Sysiaff^Sl l.i 

PC 

sw 

WSK 

PGM 

MOC 

NSV/ ZEALAND 

RPK Na>t SesOnu 

tnAtiman Piplessional 

WIN95 

sw 

EMAIL. 

PGM 

RPK 

NEW ZEALAND 

RPK Ng'a Zeaiarvj 

RPK Rie 1 0'l 

WIN 

sw 

FILE 

PGM 

RPK 

NaWZEAlANO 

RPK New Zeelartc 

RPK Piipuc Key Cr-ypiosysiem 

UNIX 

sw 

GENERAL 

KIT 

RPK 

NSW ZEALAND 

RPK New Zealand 

TRPKC 

vy;m 

sw 

8ENSRAL 

KIT 

RPK 

NEW ZEALAND 

RPK New Zewenc Lid 

RPK Ciwypiomie S jHwate Tij^Vii 

Vi 1 

RPK SecofaMe<f>8 wo 

c—cooe 

sw 

OENSRAL 

KIT 

RPK 

NSW ZEALAND 

RPK New ZcWsod IW 

wjNmr 

sw 

MEDIA 

PGM 

RPK 

NORWAY 

Aiisan SeftwAre 

n 





NORWAY 

CduYibi MiCYP aa 

?? 






NORWAY 

Enceson Stmater 

?? 






NORWAY 

lnfeMeaiQ!i AS 

?? 






NORWAY 
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BOX 

BOX 


PGM 

PGM 

PGM 

PGM 

PGM 

PGM 

PGM 


BOX 

BOX 

BOX 

BOX 

SOX 

aox 

CHIP 


BOX 

ADAPTOR 

BOX 


DES 

DES 

DES 

PROP 

RAMBUTAK 

DES 

DES 

SALARIES 

BA2ARIES 

DES 

DES 

DES 

DES 

DES 

tOEA 

IDEA 

DES 

DES 

IDEA 

LUCIFER 

PROP 

PROP 

PROP 

PROP 

PROP 

PROP 

PROP(MAR 

CRYPT) 

PROP 

PROP 

PROP 

PROP 

FEAIS 


FILE 

GENERAL 

GENERAL 

COMMS 

COMMS 


PROP 

DES 

OES 


PGM 

PGM 


SW COMMS 

HW FILE 

SW FiLE 

SW DISK 

SW DISK 

SW/HW DISK 

SW DISK 

SW DISK 

SW/HW DISK 


SW DISK 

SW GENERAL 

SW 

SW/HW FH.E 

SW DISK 

SW FILE 

SW FILE 

SW FILE 

HW COMMS 

HW COMMS 

HW COMMS 

HW COMMS 

HW COMMS 

HW COMMS 

HW COMMS 

SW/HW GENERAL 
HW COMMS 

HW COMMS 

HW COMMS 

HW PIN 


KfT 

SMART CARD PROP 
PGM PROP 

POM PROP 

PGM PROP 

PGM DES 

POM PROP 

PGM PROP 

SMART CARO PROP 
CHIP RSA 

PGM PROP 

KIT DES 

OES 

<See ND(es> 

PGM PROP 

PGM PROP 

PGM PROP 

PGM PROP 

BOX DES 

BOX OES 

SOX DES 

SOX OES 

BOX OES 

BOX DcS 

BOX OSS 

ISA DES 

BOX DES 

BOX DES 

BOX DES 

TOKEN OES 
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Racal Ajnecti Ltd. 

Racai Ajrtecfi Lid. 

Radius 

Reflex Magnetics Ltd 
SAS Iniernauonal PLC 
SAS International PLC 
Secuncof 3net Ltd. 

Smgton Associates 
Smith's Assooates 
Soft Concepts 
Softdisketie 
Sophos Ltd 
Sophos Ltd 
Sophos Ltd. 

Sophos Ltd. 

Siralfors Data 

Sygnus Data Communicatu 

Time A Data Systems 

University College London 
University College London 
W.dney Ash 

Zeta Communications Ltd. 
Zeta Convnunications Lid. 


Reflex Oisknet 
Dr Solomons Ringlence II 
SAVEDIR 
Secure IQ ENCO 


D-Pence4 HMG 
D-FenceA SPA 
E-DES 
PUBLIC 
PS3 

Microstop 


SW/HW SSL 


DISK PGM 

FILE PGM 

COMMS 


DISK PGM 

DISK PGM 

FILE PGM 

COMMS PGM 


DES 

DES 


PROP 

PROP 

DES 


PROP 

HMG 

PROP 

DES 

DES 


DES 

DES 

PROP 

PROP 
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C. FOREIGN ENCRYPTION MANUFACTURERS AND DISTRIBUTORS BY COUNTRY 

The following table is a summary listing of the foreign companies that manufac- 
ture or distribute cryptographic products. 
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COUNTRY 

ARGENTINA 

ARGENTINA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRALIA 

AUSTRIA 

AUSTRIA 

AUSTRIA 

AUSTRIA 

AUSTRIA 

BAHRAIN 

BALTIC REPUBLICS 

BANGLADESH 

BELGIUM 

BELGIUM 

BELGIUM 

BELGIUM 

BELGIUM 

BELGIUM 

BELGIUM 

BELGIUM 

BELGIUM 

BELGIUM 

BRAZIL 

BRUNEI 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 


COMPANY 

Data Crypt S-A. 

Newnei S.A 
Andrei Souieimanian 
Banksia Tecnnology Pty Ltd. 

Carton Based Software 
Cipher Research Lat>oraiones 
Cryptsofl Ply Lid 
Cytanim Pty Lid 
DataCrypl 
Daiamaiic Pty. Ltd 
Eracom Pty Ltd 
Enc Young 

Loadplan Australasia Pty Ltd 

LUCENT 

Matthew Kwan 

MicrolOCk 

Microsoft Pty 

Mosaic Industnes 

NeiSafe 

News Datacom 

NexSol 

Nick Payne 

RoOust Software 

Ross Williams 

RSA Data Secunly Australia 

Secure NerwQfV Solutions 

Secunly Domain Pty Ltd 

TRAC Systems 

Tracom 

Esheineck, Stemer, Beiieimair 

lAlK, TU Graz 

Mils Elektronik 

Siemens AG Austna 

University Of Linz 

International informanon Systems 

LAN Vision 

Quantum System Software 

ClassicS/s 

CNET 

Cryptech NV/SA 

Data Alert inteimeiioriai Elfhoven 6V 
GSA Ran Data Europe 
Hignware, mo 
Lintel Secunty 

Open Software foundation / Europe 

UTi-MACO Belgium 

Vector 

PC Software e Consuitona Liaa 
Digitus Computar Systems 
A.B Data Sales, tno. 

Adam Berent 

Atlantic Systems Group (ASG) 

Autheniex'NovaSiOr 
Certicom 
Chrysalis ITS 

CompressiOh Technologies. Irw 
Computer Secunly Corporation 
CRYPTOCard Corporation 
Cyoomm iniemationsi, inc. 

Earthworks Communications 
Entrust Technologies 
Freestyle Software, Inc. 

Gandall 

Ilex Systems Inc. 

Inloron Technologies, inc. 

Isolation Systems 
Jaws Technologies. Inc 
KyPerpass Corporation 
Micro Tempus, Inc. 

Microsoft Canada, me. 

Milkyway Networks Corporation 
MPR Teiiecn 
NetComServ Canada 
Newondge Networks Corp. 

Nortel Secure Networks 

Nofinem Telecom Canada Lid. (Data Contm. Products) 
Northern Telecom Canada Ltd (Secure Networks) 
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CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CHSlE 

COLUMBIA 

CYPRUS 

CJECH REPUBLIC 

CZECH REPUBLIC 

CZECH REPUBLIC 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

ESTONIA 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

'INLAND 

FRANCE 

FRANCE 

FRANCS 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FFlANCe 

FRANCE 

FRANCE 

FRANCE 

PRANCH 


FRANCE 

FRANCE 

FRANCE 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMAN'' 

GERMANY 

GERMANY 


Ociotucfp InOusines 

Okiok Data 

OniracK Comouie'' Syslens, irw. 

Paradyne Canada Lid. 

Queen's Universilv 
RAYBCRG TECHNOLOGIES IMC. 

Saentpfic Atlantic 

Securfrj Communicalions me. (SCI) 

Siercg Wireless 
Slams TecHrulogy 
Symaniec. Canada 
Die Emgrna Group 
TimeSlsp Corporal-on 
Tunara Semiconductor Corp 
Keen Ifitemaiionai nc. 

Zoomit Corporation 
Bysupport Coirpulaoon SA 
Economic Data st 
A E C Consultants Lid 
Aiwii Software 
Decfos spoi. s r.o 
PCS seo! sro 

Aartius University. Computer Science Department 

CrypioMstHicA/S 

GN Oaiacom 

inieiitech Omntware 

(versen & Martens A/S 

Kommjriedata 

L5t Logicrcausu-O AS 

Swantiolm Computing A/S 

Swankolm DslriQutlOn WS 

Tetesec 

Cyt/emctica 

Anlli Louko 

Ascom Ciniet OY 

Oatafeiiows Ltd 

tnslrumentoiii OV 

Jelico. Inc. 

LAN Vision OY 

SSH Communicalions Secunty 

SSH Communicalions Secunty 

A6 SCI 

ActivCard 

Aladdin France SA 

AllanliS 

3uii Worldwide infoimai'or' Systems inc 
CCETT 

Cryptecn France 
Crypto-SoY Sad 

CSEE - Division Commuficaiipn el mtormaKue 
CSiL 

Dassault Aulomai'Smes et TeieccnvrtunteaMns 

Digiia Eouipmeni Corp. (DEC). Pare Research Lab 

Herve Sehauer Consultants 

Hewteii Packard Frartce 

Incaa Frartce S A R.L 

LAAS 

Netscape Communications CNIT 

Philips Corrmunicahon Systems 

Premenos Europe 

Rasi Electronics 

Research Institute 

S A. Gretag 

SAGEM 

Andreas Kupnes 
Andreas Muiter Software 
AR Oaiens'cherufisssysleme ©WH 
Atianifs GrrbH (deutsewand) 

Salle' & Huwg 

BioOata GmOH 

8ROKAT inJosysiems AG 

CCt (Competence Center informaiik GmCH) 

CE Infosys OmpH 
Cedr c Reinaru 
Ceilicon 

Cnnstoph Martin 

Concoro-Eiecem Computer QmPM 

Con’/oiware GmoH 

CryptoSofi GmPH 

CnypioSofl GmpH 

Data Safe 

OemCom 

OTM Data TeleMark GmJjH 

Dynatech - Geseiischa'i tur OatenwarPeilimg GmbH 
EufoCom EDV 
EZi GmOH 

FAST Com Tec GmbH 
GAO 

Giiss A Heiweg 
Giock A Kanja GmbH 
GMD 

Gretag EiekiromV GmhH 
Interconnect 
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GERMA^Y 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GHANA 

GREECE 

GREECE 

GREECE 

GREECE 

HONG KONG 

HONG KONG 

HONGKONG 

HONG KONG 

HONG KONG 

HONG KONG 

ICELAND 

ICELAND 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDIA 

INDONESIA 

IRAN 

IRAN 

IRELAND 

IRSLANO 

IRELAND 

IRELAND 

IRELAND 

IREIAND 

IRELAND 

IRELAND 

IRELAND 

IRELAND 

ISLE OF MAN 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ISRAEL 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

ITALY 

IVORY COAST 
JAPAN 
JAPAN 
JAPAN 


Ju-gen Meyer, Frank Gadegast 

Karl Huwig 

Kr^loKom 

MarVi & Tecftnik Software Pariners InU. GmbH 

MARX Oaier<i8cnmk GmOH 

Mattisas Kretscfinwf 

ParaOyne Gfr®H 

RolanO MurxSIOCft 

SiS Intemaliofia! Deutscftland Grt*H 
Siemens Vertraulictie Kommuninaiioo 
Siemens-NintJorf 
SIT 

T. Billenstem 

Tela Versicfienjng 

Tele Seojnry Timrrann GmDH 4 Co 

Teienei KommunikaLor' Sysieme 

Trie Comtialibitiiy Bon GmbH 

Tosriiba Surooe GmbH 

Uirmaco Safeware AG 

Wlineim KeiDi Werve 

Software Marketing ConsiiHarrc>- 

A E C Consuiiancy 

G J.Mcssaniis 4 Co. Lta 

John liMnoiOis 

ORCO Lid. 

Oigilus Computer Sysiems 
Microsoft Hong Kong. LW 
News Oaiacom 
ROCT6C Enterprises, Ltd 
Techtrend Engineering, Ltd. (TEL) 

Tnpie D Lto. 

Logl Ragnarsson 
Softis nf 

Bfiarai Electronics Lto, 

Cnenab info Tecfinotogy 
DCM Data Products 
D'Qita! Electronics Ltd. 

Ogitai Equipmem (India) Ltd. 

Hewielt-PacKs'd (India) Pvl, Lid. 

Hmditwi Cornouiw^ Pvt ltd 
Imemalionai Computers Indian Manufacli^e LM 
imemational Data Management Lid 
OMC Computers Ltd. 

Patn. Computer Systems Ltd., Export Division 
PSl Data Sysiems Ltd. 

Quantum System Software 
Roita India Lirniieo 
Tata Burrougris Ltd. 

Tata Consultancy Services 
Tata Unisys Ltd, 

Te«8s insiAjmenis (India) pvt Ltd. 

Wipro Systems Limited 
Digitus Computer Systems 
Communicaiicns Industiies Group 
^abakeri Qosiar Corporation 
AT&T Network Systems ir^amJ 
Surologic Syslerns. Lid. 
isocor Ireland 
Pnonty Data Systems Lid 
Renaissance Contingency Services LW. 
Snamus Software Ltd. 

Silicon Software Systems Ltd 
Software and Sysiems Engmeenng Ltd 
Software Sysiems Engineering Ltd. 

Systemics Ltd. 
irtvisimati tniemaiionaf Ltd. 

AJaddin Knowledge Sysiems. Lid. 

Algonihrruc Resea/cn LkS. 

AluooLtd. 

Areshelt Systems Lta. 

Carmel Software Engineering Ltd. 

Chack Poini Software Tecftnofogies Lid 

Elementnx Tecfinoiogies Ltd. 

ins Software 

News Datacom 

RADGUARO, Ltd 

Secure Network Systems, Ltd 

Tadiran 

Vanguard Secuniy Tecftnoiogies Ltd 

AMT6C SPA 

CERT-IT 

Eutron Spa 

Incaa SRL 

oiiveti) 

Ratio Sn 
Siosiiicmi an 

Sysiems ComiTHjnicazoni sri 

TELSY glettfonica e Teiecomunsaztom S.p.A. 

"eivox s.a.s, 

Software Marketing Consuiianey 

advance Co., Ltd. 

Compel Ino. 

Fuiitsu Labs Lid. 
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CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CANADA 

CHILE 

COLUMBIA 

CYPRUS 

CZECH REPUBLIC 

CZECH REPUBLIC 

CZECH REPUBLIC 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

DENMARK 

ESTONIA 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FINLAND 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

FRANCE 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 

GERMANY 


Odoinorp Inaustnes 
Okiok Data 

OniracK Computer Systems, Inc. 

Paradyne Canada Ltd 

Queen's University 

RAYBORG TECHNOLOGIES INC. 

Scientific Atlantic 

Secured Communications Inc. (SCI) 

Sierra Wireless 
Silanis Tectinology 
Symantec, Canada 
The Enigma Group 
TimeSlep Corporation 
Tundra Semiconductor Corp 
Keen Iniemalionai Inc. 

Zoomit Corporation 
Bysuppori Compulaoon SA 
Economic Data si 
A E C Consultants Ltd 
Atwii Software 
Decfos spol s r o. 

PCS Spol sro 

AaitiuS University. Compuler Science Department 

CryptoMathic A/S 

GN Datacom 

inteiiiech Ommware 

Iversen i Martens A/S 

Kommunedala 

LSI Logic/OatacQ AS 

SwarrKolm Computing A/S 

Swanholm DistnOution A/S 

Teiesec 

Cybemelica 

Antti Louko 

Ascom Fmtel OY 

Daiafeiiows Ltd. 

Insirumentoili OY 
Jetico. Inc 
L-AN Vision OY 

SSH Communications Secunty 

SSH Communications Secur*ty 

AS Soft 

ActivCard 

Aladdin Franc* SA 

Atlantis 

Bull Worldwide Information Systems Inc 
CCETT 

Crypiecft France 
Crypto-Box San 

CSEE • Division Communication el (niormatioue 
CSIL 

Dassault Automatismes et Teiecommunicaiions 
Digital Eouipment Corp (DEC). Pans Research Lao 
Herve Seftauer Consultants 
Hewlett Packard France 
Incaa France S.A R.L. 

LAAS 

Netscape Communications CNIT 

Pftiiips Communication Systems 

Premenos Europa 

Past Electronics 

Research Institute 

S A. Greiag 

SAGEM 

Andreas Kupnes 
Andreas Muller Software 
AR OalensiCherungssysteme GmPH 
Ailaniis GmBM (deuiscmand) 

Bailer & Huwig 

BioOaia GmoH 

BROKAT infosystema AG 

CCI (Competence Center Informaiik GmPH) 

CE InfosyS GmoH 
Cedne Remartz 
CeltiCPn 

Cnnsiopn Martin 

Concprd-Eracom Computer GmPH 

Coniroiware GmOH 

ChyP’sSoft GmBH 

CrypioSoft GmbH 

Data Safe 

DemCom 

DTM Data TeieMark GmbH 

Dynaiech • Geseiischatt fur Dalenverarpeilung GmoH 
EuroCom EDV 
E2I GmBH 

FAST ComTec GmbH 
GAO 

Gliss 4 Herweg 
Gitick 4 Kanja GmbH 
GMD 

Gretag Elektronik GmBH 
Interconnect 
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JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JAPAN 

JA=AN 

JAPAN 

JAPAN 

JAPAN 

KENYA 

KUWAIT 

LUXEMBOURG 

MADAGASCAR 

MALAYSIA 

MALTA 

MALTA 

MALTA 

MAURITIUS 

MEXICO 

MEXICO 

MEXICO 

MEXICO 

NEPAL 

NETHERLANDS 

NETHERLANDS 

NCTMERLANDS 

NETHERLANDS 

NETHERLANDS 

NETHERLANDS 

NETHERLANDS 

NETHERLANDS 

NETHERUNOS 

NETHERLANDS 

NETHERLANDS 

NETHERLANDS 

NETHERLANDS 

NETHERUNOS 

NETHERUNOS 

NETHERUNOS 

NETHERUNOS 

NETHERUNOS 

NETHERUNOS 

NETHERUNOS 

NETHERLANDS 

NEW ZEALAND 

NEV,f 2EAUND 

NEW ZEALAND 

NEW ZEALAND 

NEW ZEALAND 

NEW ZEALAND 

NEW ZEALAND 

NIGERIA 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

NORWAY 

OMAN 

PHILIPPINES 

POUND 

POUND 

POLAND 

PORTUGAL 

PORTUGAL 

PORTUGAL 

QATAR 

REUNION 

ROMANIA 

RUSSIA 

RUSSIA 

RUSSIA 

RUSSIA 

RUSSIA 

RUSSIA 

RUSSIA 

RUSSIA 

RUSSIA 

SAUCH ARABIA 

SAUDI ARABIA 


Jade OorpoTBiioA Ltd 
Mitsubishi &ec^ CwpofatioR 
Mitsubishi Electric Ergineenna Ccmpany LW 
Netscape Cwrmjnicauons KK Japan 
Nihon RSA 

Nipon Telephone 4 Telegraph 
Open Softsvare Fotmaation / Pacrfc 
Paraoyne Japan. KK 
Toshiba informalion Systems (Japan) 
Yokohama Naiicnai University 
Memory Masters 
LBI International 

Data Atert Intematior'al Eifhoven BV 
Megabyte Compoiers 
Digius Computer Systems 
LBI intematxjnal. Inc. 

ParU CompuierCo Ltd. 

Shireburri Co Lid 
Megabyte Compyters Lid. 

Computer Sscunly Corpcraticn 
OhtracK Computer S’/stems Inc 
Seoundaia Pnvada S.A. fle C.V. 

The King of Heals 
Quantum System Softwa-e 
Ad Infinitum Programs (AIP-NL) 

AJco Biom Software 
Asol B.v 

Atianirs Nederland 8V 

Concord Eracom Nederland BV 

CRyPSYS Data Secjnly 

Cryptech Nedertand 

Data Alert International Elfhoveo BV 

DigiCash 

DS^ International 

EWhoven Automatisenng 

ElisShim Europe B.V. 

Gevene Electronics BV 
tncaa Catacom 0V 
(nc38 Nederianc B V, 

Philips Crypto BV 

Piinenburg 

PTT 

Symantec, Netherlands 
Tyt'p Computers BV 
versoeck 4 Soeters b.v 
CES Commuhicat'ors LW. 

Jonn G lmorc 

Loadcian Australasia Pty Ltd 

LUC Encryption Technology. Ltd. (LUCENT) 

Microsoft New Zealand 

Peier Gutmann 

RPK New Zealand Lid 

Software Marktiing Cohsuttancy 

Ailadm Software 

80C Bergeri Data CortsuHmg A/S 
Beigen Dau Consu'iing A.S. 

ColumDi Micro a.s, 

Enccson Samafor 
infoMedica AS 
infBrmasjonskontroll A/S 
Infporialikk A/S 
KirXedam Eiektromkk E08 
Nous AS 
POi 

Scand PC Sys/Secira 

Siemens Nmoort, informasjonssystemei A'S 
SKandiiek A'S 

Stenmg Software Scandirtavia A/S 

Swenhoim Oisinbutien ArS 

Teiepadneras 

VOicetechA.S 

LBi iniemational 

Ogifus Computer Systems 

Oagma sp: o o 

Enigma Wormatw Secvflity Syswms 
SCFT-ut. 

Iniomova 
Redisiogar SA 

RSvP Corisuitores Assodiados Lds 
LSI international 
Megaoyfe Computers 
inierscope s.r.i 
<UNKNOWN> 

As^n 

Elias Ld. 

INFOfW ■ RTG 
LANCryplc 
R£SCryd>!Q 
SoanTecTi 
TELECRVPT. Ltd. 

Into Guard Saudi Arabia 
LBi inlemaiional Ltd 
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SINGAPORE 

SINGAPORE 

SINGAPORE 

SINGAPORE 

SINGAPORE 

SLOVAK REPUBLIC 

SLOVAK REPUBLIC 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH AFRICIa 

SOUTO AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOl/TH AFRICA 

SOUTH AFRICA 

SOUTH AFRICA 

SOUTH KOREA 

SOUTH KOREA 

SOUTH KOREA 

SOUTH KOREA 

SOUTH KOREA 

SOUTH KOREA 

SPAIN 

SPAIN 

SPAIN 

SPAIN 

SPAIN 

SPAIN 

SAEOEN 

SWEDEN 

SWEDEN 

SWEDEN 

SWEDEN 

SWEDEN 

SV^OEN 

SADDEN 

SWEDEN 

SWEDEN 

SWEDEN 

SWEDEN 

SWEDEN 

SWITZERUNO 

SWITZERLAND 

SWITZERLAND 

SWITZERLAND 

SWITZERLAND 

SWITZERLAND 

SWITZERLAND 

SWITZERUNO 

SWITZERUNO 

SWITZERUNO 

SWITZERUNO 

SWITZERUNO 

SWITZERUNO 

SWITZERUNO 

TAIWAN 

THAILAND 

TURKEY 

TURKEY 

LME 

UK 

UK 

UK 

UK 

UK 

OK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 

UK 


ConvnonicaUcx'$ Systems Enameenr*^ Piy, Lid. 
Oisineim Singapore Pte, Ltd 
ftgiius Computer Systems 
Digitus Computer Systems 
Microsoft &no3fvye Pt«. Ltd. 

Lynx SfO 

PCS Bratislava sro 
BSS (Pty) Ltd, 

BSS <Ply) Ltd. 

Citadel Data Securty 
Computer Securtiy Associates 
Detiei loformaUcs 
EFT 

hielligeni 
Nanotea 
Net One 
NetSec 


Siemens Ltd. So. Afnca -Preicna 
Siemens Ltd. -So Afnca 
Spescom 

Tha*ie Consulting 
Ogiius Computer Systems 
Future Systems. Inc. 

-iiian.Soft 

Penta Secunty Systems Inc. 

Senex Technologies Inc Ltd 
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D. REPORT OF THE PRESIDENT’S EXPORT COUNCIL SUBCOMMITTEE ON ENCRYPTION, 
WORKING GROUP ON INTERNATIONAL ISSUES 

The following findings have been adopted by the PECSENC as a reflection of con- 
ditions of international competition prior to the U.S. Government’s liberalization of 
encryption export controls announced on September 16, 1998. The liberalization 
may affect many of these findings, and the findings will be used as a baseline for 
a review of the effects of the liberalization in future sessions of the PECSENC. 

1. The difference between U.S. encryption controls and those of other nations is 
a serious — but not the only — factor determining success in the computer security 



122 


market. With or without controls, both U.S. and foreign products are likely to con- 
tinue to coexist, and other factors are likely to continue to slow deployment of secu- 
rity products. Many foreign companies, for example, especially those influenced by 
governments, will continue to favor domestic security solutions, and many computer 
users will not deploy serious security technology until there have been major inci- 
dents with losses that can be attributed to lack of encryption. 

2. Nonetheless, the adverse impact of controls on U.S. industry is palpable. For 
many software applications, business customers simply demand security and 
encryption; it is a checklist item, and its absence is a deal breaker. While simply 
counting the number of foreign encryption software products in the market is not 
an accurate measure of the impact of controls, one particularly serious risk is that 
non-U.S. companies will use their ability to export stronger encryption as “leverage” 
to dominate particular applications. 

This has happened in at least one field — Internet banking — and may occur in 
other areas of electronic commerce. Brokat, a German company that scarcely existed 
four years ago, now has 250 employees and offices in several countries including the 
United States. Brokat’s specialty is Internet banking and electronic commerce, but 
it broke into that business on the strength of being able to offer stronger encryption 
than German banks could obtain in Netscape or Microsoft browsers. It is now a 
major player in this niche, with 50% of the European Internet banking market and 
enough U.S. customers to justify a 20-person U.S. branch office. Meanwhile, 
encryption constitutes 10% or less of Brokat’s revenue, and it has expanded its ini- 
tial Internet banking offerings to include support for other forms of electronic com- 
merce. Loss of U.S. competitiveness in the electronic commerce software market ob- 
viously raises concerns not just about encryption software but other software oppor- 
tunities. Indeed, it foreshadows a weakening of the U.S. position as a leader in elec- 
tronic commerce generally. 

3. The persistent emphasis in U.S. export control policy over the past two years 
on key recovery, or “lawful access,” has also taken a toll on the credibility of U.S. 
security products. Key recovery continues to find a market. Business wants to en- 
sure that data are available for corporate purposes, including litigation. Key recov- 
ery is seen as an important feature for stored business data (though not for commu- 
nicated data in transit). 

But the use of export controls to drive the key recovery market further than it 
would go by itself is hurting U.S. industry. Foreign governments and competitors, 
particularly in Europe, have misinterpreted this U.S. policy, perhaps deliberately. 
In essence, foreign customers are told often by their governments as well as local 
security companies that all U.S. encryption products come with a back door allowing 
the U.S. government to read the contents. In part this is the result of outmoded “Re- 
covery” supplements to U.S. export rules that demand an unrealistic level of U.S. 
government access to key recovery products. In part it reflects the hostility of many 
foreign governments toward U.S. key recovery and access policies. It also reflects 
the fact that some countries will simply never rely on security products that are not 
home-grown, and misunderstanding U.S. key recovery policies may simply be a 
handy stick to beat U.S. products with. But it is unfortunate that the U.S. govern- 
ment has provided such a large and easily wielded stick. 

4. U.S. controls are driving many U.S. companies into “cooperative arrangements” 
with foreign encryption suppliers. These cooperative arrangements allow U.S. com- 
panies to provide complete security solutions by encouraging their foreign partners 
to marry foreign-made crypto with U.S. commercial applications. These cooperative 
arrangements are highly risky under U.S. law, but they are not unlawful per se. 
Given the stakes, many companies have been prepared to take risks under U.S. law, 
and it is expected that more will do the same. The result is that U.S. policy has 
fostered the development of cryptographic software and hardware skills outside the 
United States. German, Swiss, Canadian, Russian, and Israeli cryptography compa- 
nies have all benefited from this unintended consequence of U.S. encryption policy. 

5. The U.S. government has made efforts to “level the field” of disparate export 
controls for encryption through negotiations under the Wassenaar Agreement. The 
U.S. proposal that 56-bit encryption become a new “floor” for encryption exports 
under Wassenaar, while certainly better than current policy, is likely to be imple- 
mented at least a year and perhaps several years too late. In response to the U.S. 
KMI initiative, which conditionally decontrolled 56-bit encryption in December 1996, 
other countries also decontrolled 56-bit DES but more or less unconditionally. The 
countries include Canada and apparently the United Kingdom. And by 1996, other 
countries, such as Germany, already were approving the export of 56-bit DES to vir- 
tually any country for virtually any purpose. Most recently, the exhaustion of a 56- 
bit DES key using a machine built for a quarter million dollars has entirely discred- 
ited DES as a serious security tool for valuable secrets. Single DES remains a useful 
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tool for assuring privacy against a wide variety of potential adversaries and snoops, 
but decontrolling 56-bit encryption will not provide a significant boost to the com- 
petitiveness of U.S. technology for serious security applications. 

6. Process and timing: In 1995, the State Department approved routine license ap- 
plications for the export of encryption in less than a week on average. This was 
when the State Department had jurisdiction over encryption and NSA staffed the 
State Department’s office and handled all encryption license applications. 

This is no longer the case. The Commerce Department has staffed up heavily in 
the encryption field, but its processes now include parallel reviews by the FBI and 
NSA under a 30-day deadline that can be extended further with a simple “no” vote 
by either agency. For whatever reason, these agencies are now taking the full 30 
days — and often 90 days. Against a backdrop of continued export liberalization over 
the past four years, this degradation in export control performance strikes a jarring 
note. 

The Commerce Department’s performance in this area is not necessarily out of 
line with the performance of other countries. The German government often takes 
two to three months to approve a license for a new product and six weeks to approve 
a license for routine shipments. The difference is that German companies know with 
certainty that a license will be issued at the end of the process; and the German 
government imposes no key recovery requirement on exporters. Therefore, they can 
make commitments to deliver products that require a license even before they get 
the license. In the United States, both the FBI and NSA have at times cast votes 
intended to roll back existing policies, and they have at a minimum managed to 
stall licenses that seemed to fit existing policy. A key recovery policy, for example, 
has been applied sporadically to U.S. multinationals and with some inconsistency 
to other exports. For this reason, it is not prudent for exporters to assume that a 
license will be issued or to make commitments on the assumption that the license 
will be issued — even when existing policy makes it seem likely that a license will 
eventually be granted. Because an RFP by a foreign company may provide only 30 
days for responsive proposals, and the proposals often must include an assurance 
that an export license will be obtained, some U.S. companies lose bidding opportuni- 
ties simply because the U.S. government does not process licenses quickly enough. 

In other respects, of course. Commerce Department practice is a large improve- 
ment over State’s performance. This is particularly true for controversial licenses, 
on which Commerce typically forces a decision over a course of months. In contrast. 
State Department licenses could be held up for months without any explanation and 
there were no deadlines for resolving interagency disputes. Nonetheless, it seems 
clear that the Commerce Department and the other participants in the encryption 
licensing process should adopt additional procedures to speed the granting of rel- 
atively non-controversial licenses. 

Senator Frist. Thank you very much, Mr. Hoffman. 

Let me begin with Mr. Bidzos. You mentioned that the Adminis- 
tration probably underestimates — you did not say “probably” — 
underestimates companies overseas, and you mentioned the 3-year 
delay. Could you comment on both of those? 

Mr. Bidzos. Yes, Mr. Chairman, I would be happy to. When I 
testified almost 10 years ago I was predicting that we would do 
economic harm to ourselves if we continued to control encryption, 
and that turned out to be true. It took 9 years for us to really see 
it. In fact, we warned at the time that by the time we could point 
to the damage — because the Administration was saying, “Show us 
where the harm is, show us how you are being hurt,” and my re- 
sponse was: “By the time I can show you lost market share, it is 
probably too late for you to help me get it back at that point.” 

So let me now again, 9 years later, look out 3 years and see what 
might happen. First of all, I think the Administration underesti- 
mates the extent to which foreign competitors wish to emulate us. 
Look at the role that information technology plays in the growth 
of the U.S. economy. It is absolutely the driving force. It is the en- 
gine that is driving unprecedented economic growth, unprecedented 
in history. The amount of jobs created, the amount of revenue gen- 
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erated, the amount of innovation, the absolute dollars involved are 
absolutely unprecedented. 

Our foreign competitors are quite aware of this. They are start- 
ing to tap public markets for funds to grow. They are starting to 
target opportunities created by U.S. export policy. Two quick exam- 
ples of how they are doing that and what the stakes involved are. 

First of all, they are actually starting to identify larger products 
of which encryption is a critical feature and they are starting to 
build products of those types. They are seeing an opportunity not 
only to get the encryption revenue, but to get 2, 3, 10, or 20 times 
the encryption revenues by making a complete product sale. 

They also, of course, just by virtue of coming into business as an 
encryption company because of the opportunity created by U.S. ex- 
port law, exist and therefore they are able to take advantage of op- 
portunities that they see. If not for export law, they would not even 
exist. 

There is a company in Germany called Brokat which now em- 
ploys over a thousand people, has raised money in the public mar- 
ket with a very successful public offering, would not exist if it were 
not for the opportunities created by U.S. crypto. 

To go directly to your question, the 3-year timeframe before we 
can export encryption as strong as the AES, well, first of all, every- 
body knows that 3 years today is like 15 years was 10 years ago. 
We live in the Internet age and things happen very, very quickly. 
Three years is a lifetime. Those companies will exploit opportuni- 
ties in ways that I mentioned and in other ways that we cannot 
imagine. 

But the real price that we will pay is this. They essentially — it 
is not a national information infrastructure we are talking about, 
as the Vice President used to call it. It is a global information in- 
frastructure, there is no question whatsoever. If you look in today’s 
papers, you will conclude very quickly that around the clock global 
trading of securities is just around the corner. That is not going to 
happen without a secure information infrastructure and that infor- 
mation infrastructure will be secured, it will be global. The only 
question is who is going to build it. 

The way things sit today, U.S. companies will not build it. U.S. 
companies will not play the role in building it that they might play. 

So these infrastructures that get built are I think critically im- 
portant in ways we cannot appreciate right now. The company that 
gets in and builds the infrastructure will have the inside track in 
selling products and services for 2, 5, 10, and maybe even 20 years 
down the road because of that early position they stake out for 
themselves as the infrastructure provider. They set the standards, 
they have the relationship, etcetera, etcetera. 

So this 3 years I am afraid is going to cost us tremendously. 

Senator Frist. In S. 798 we streamline the procedure for receiv- 
ing an export license by putting a maximum number of days in 
each step, and you argue that is not enough. Are you arguing for 
an alternative or are you saying that there should not be these ex- 
port control policies? 

Mr. Bidzos. Well, maybe I can answer that question by referring 
to something that Secretary Reinsch said. Secretary Reinsch com- 
pared encryption in one respect to supercomputers, machine tools. 
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biotech, and said that if foreign availability were the sole criteria 
we would have no export controls on all of those other products. I 
would submit that encryption does not belong in that category. 

If you want to huild a supercomputer, if you want to build one 
and build a lot of them in particular, you need to have incredibly 
sophisticated technology to manufacture these computers. It is in- 
credibly expensive. You need people with tremendous specialized 
skills. Just building the systems that can cool the operating super- 
computer is incredibly sophisticated. The same is true of manufac- 
turing machine tools. The same thing is true of biotech. You need 
sophisticated technology just to build the laboratories, the tools, the 
instruments. 

For encryption all you need is a high school textbook and a per- 
sonal computer. I guess you need Internet access, too, so that 
brings it down to about 100 million people who are probably capa- 
ble of doing it. All you need to get into business and duplicate and 
sell that software is a web site. That may bring it down to 80 mil- 
lion, but it does not get much smaller than that. 

You have got companies in South Africa, in Estonia and other 
places who advertise the fact that they can simply ship you strong 
encryption that is not subject to U.S. export controls. So we are 
really in a different situation, where the technology is available 
and we are not competitive. 

Senator Frist. Thank you. 

Professor Hoffman, you have been studying the growth of foreign 
encryption products for a long time and I appreciate your work 
very much and your written testimony as well. Do you believe that 
U.S. export controls have been effective in controlling the develop- 
ment of encryption overseas? 

Dr. Hoffman. Well, I think you can see from the results of our 
survey they have been, I would say, marginally effective. They 
have had some effect, but I think overall the market has had more 
effect than the U.S. legislation. 

Senator Frist. Mr. Aucsmith, do you have comments on anything 
that has been said? 

Mr. Aucsmith. I would make one slight addition to Jim’s state- 
ment about our 3-year window. That has two parts to it. One thing 
is that the international Internet as we now know it exists because 
there are international standards. That is what allows everything 
to work together. It is the glue that holds things together. At this 
time there are two particular standards being defined worldwide 
that deal with the security. 

IPsec, the Internet Protocol Security Standard, the very thing 
that will secure point to point connections on the Internet, is being 
finalized, and already there are many, many countries producing 
technology that will go into that. If my company and others in the 
United States cannot participate for 3 years, we will be locked out 
forever. It is that simple. 

The second is, and this is particular to hardware, while we might 
think we move at an Internet speed, our development cycles mean 
that there is a long lead time on the piece of hardware, but in the 
microprocessor area I am working on a microprocessor design that 
you will not see until the year 2003. I have to make a billion dollar 
bet today on whether or not I can export that in 2003. It is very. 
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very hard without some assurance of what the world will look like 
in terms of legislation at that particular time. 

So we will he held out. Every day that this is delayed is a day 
that we miss products a long time from now. 

Senator Frist. Mr. Aucsmith, could you comment on who should 
he the trusted parties for recoverable, key recoverable products? 

Mr. Aucsmith. Actually, as I stated before, I am not in favor of 
key recoverable products, for two primary reasons. One is I think 
that they fundamentally will not work well, for communications 
products I do not think that there is any market for that. There 
is no market need. One could be created artificially by government 
regulation, but there is no market need. 

For stored data, I think the majority of data — in order to be of 
any use, information has to be shared. It is a rare commodity in 
information that is valuable and not shared, meaning that if the 
proverbial person is hit by a bus it is unlikely that he or she is the 
only one that has access to that information. In fact, in most cor- 
porations mission-critical information is stored on databases and is 
kept in separate mechanisms that have separate access control. I 
submit that corporations have been dealing with this for quite 
some time already. 

So I would say that in general there should not be trusted third 
parties, at least not for the key recovery or access control point of 
view. 

Senator Frist. Mr. Bidzos, could you tell me a bit more, the com- 
mittee a bit more, about the Internet standards in setting security 
requirements? Is the 128-bit encryption now the norm? 

Mr. Bidzos. Yes, it is, Mr. Chairman. There is absolutely no 
question about that. In fact, both in and outside the United States 
that is the case. Now, I know some of the other witnesses said that 
it is not used quite as widely as you might be led to believe. I think 
certainly in the past we have been guilty, as people in industry, of 
trying to look out into the future and saying, well, this is what is 
going to happen to us if these export control policies do not change 
and, sure, maybe we have tended to sort of look at the worst case 
scenario or closer to that maybe than the middle. But I think the 
Administration is guilty of some of the same. 

Let me give you a couple of specific examples. If you want to 
bank online with Wells Fargo in California or if you want to access 
your mutual fund account at Fidelity or any other of scores of fi- 
nancial services institutions, if you want to buy or sell stock online 
with E-trade, your browser must have 128-bit encryption or you 
cannot do it. Their servers are configured such that nothing but a 
browser enabled at 128 bits will work at all. 

So even in cases where some people are using the “exportable” 
lower key lengths in some of these browsers, the primary reason 
they are doing it is because they are not aware that they are doing 
it and they have not upgraded. But as soon as they try to use one 
of these services, they find out that they need to upgrade. This is 
in the United States. Only under certain conditions can those be 
sold outside the United States. 

So the standards that David alluded to are being developed. They 
are global standards. The participants in the standards-making 
process are from all over the world. And David is absolutely right 
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that companies outside the United States are rapidly moving to 
build products that comply with those standards and, as we heard 
from the earlier panel, those foreign competitors of ours will be 
able to sell worldwide, including in the United States, and we will 
not. And that is a competitive disadvantage that we will find it 
very difficult to live with and that we will probably never recover 
from if we have to wait 3 years. 

Senator Frist. With key length clearly being a moving target 
even in one hearing, but also as we project ahead, and you are de- 
veloping products for 3 years from now, and we know that tech- 
nology is going to progress much faster and that is sort of the 
theme of this morning, we have advocates for the 128-bit 
encryption products rather than 64-bit products. How do you pro- 
pose that we deal with these technological changes legislatively so 
that we do not have obsolete legislation within 6 months of the 
time we pass it, recognizing the changes that are under way? 

Anybody on the panel? Mr. Aucsmith. 

Mr. Aucsmith. There is a fallacy in trying to regulate techno- 
logical advancement in general. If you tie it to specific tech- 
nologies — and in this case, tieing it to specific bit lengths I think 
it is tieing it to specific technologies. We cannot anticipate nec- 
essarily what the market will want 3 years from now in terms of 
bit length. I would submit that the best way to deal with this in 
a legislative point of view is to deal with the effects of the tech- 
nology rather than the technology itself, because I think there is 
a treadmill that you could get on, having to revisit this very issue 
every 3 years, which I do not think would be productive for anyone 
involved. I think if you have it welded to some specific value or 
some specific technology or specific implementation, you are rife 
with that. 

Dr. Hoffman. Mr. Chairman, I agree with the previous witness. 
It is ill-advised to legislate using bit length only or even some other 
technological mechanisms. What we have seen in the last several 
years on this is people focusing on specific things like bit length 
and avoiding the inevitable, which is what is going to happen when 
we do have, if you will, ubiquitous, strong, secure encryption. What 
kind of world is it going to be, how are we going to operate? 

We have seen a lot of government resources devoted towards this 
battle, rather than towards looking at the future and trying to 
shape it in a more reasonable way. 

Senator Frist. Could you, any of the panelists, comment on what 
efforts are being made by industry to address the law enforcement 
agencies’ security concerns and develop viable schemes? What is 
being done? Where are we today? Mr. Aucsmith? 

Mr. Aucsmith. Obviously, the majority of industry is extremely 
sensitive to the realities of both law enforcement and national secu- 
rity issues. I would submit that I am personally scared of what the 
future could hold. I think we all should be along those lines. 

What we are doing to try to prevent a disaster, if you will, is if 
you believe that there is an inevitability of this technology being 
available and its widespread use is inevitable and I think that is 
about the main point that we tend to disagree with the Govern- 
ment on, is the speed and inevitability, if you will, of that hap- 
pening the only way to deal with this issue is for a very close co- 
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operation between the industry that is creating the change and in- 
novating the change and the law enforcement and intelligence com- 
munities that need to be able to on occasion use that change to 
their advantage. 

I think things like the national technical center for FBI’s com- 
petency, I think that is exactly the correct step in the right direc- 
tion. I think closer cooperation between industry and the Govern- 
ment in terms of assessing vulnerabilities and assessing strengths 
and weaknesses of various technologies I think is also part of that. 

If you will, no commercial product will ever be 100 percent se- 
cure because it is not really economically feasible for us to squeeze 
that last couple of percent out of it. So there will always be 
vulnerabilities in almost anything that is put out there. Currently 
those vulnerabilities are exploited by what we would call hackers, 
if you will, to coin from recent movies, the dark side. What we 
should be able to do as a government and as responsible industry 
is, if you will, make the Government the better hackers. It is rel- 
atively that simple. 

Senator Frist. Comments, Mr. Bidzos? 

Mr. Bidzos. Yes, Mr. Chairman. Thank you. Well, I guess part 
of the problem is I think that industry has sort of been busy ac- 
tively rebuffing a lot of proposals from government over the last 
dozen years. For example, in 1993 the so-called “Clipper Chip,” the 
first government solution to government access — take my product, 
embed it in all the products that you build, and that will give me 
the access — was rebuffed. It just was not something anybody want- 
ed to use. 

Later came key recovery and I think government again failed to 
realize how industry would view key recovery. One simple analogy 
I can offer you from some of my experience in talking to people in 
the end user community in large end user organizations, financial 
companies. One of them described it very well to me, why they ob- 
jected to some sort of government access to keys. 

They said: “Well, darn it, the Government just does not under- 
stand how things work out here.” They said: “Look, if we are in- 
volved in some sort of litigation or some other form of legal dispute, 
perhaps even being sued by the Government, some sort of antitrust 
action for example, in all these cases the way the drill works is as 
follows: A subpoena is delivered, our lawyers review it, and we 
produce the documents that comply with the request.” 

We do not give them a key and say: “Look, the documents are 
stored in that building; here is the key; find what you need and 
take it, and we will see you later.” Essentially, that is how they 
viewed the proposal for government access to encryption keys, and 
I think that analogy actually holds up very well. 

So you can understand why people resisted it. People do not ^ve 
some third party a copy of all of the physical keys to their facilities. 
They have some small organization, a security organization, inside 
their own company that manages that. 

So again, some close cooperation I think would go a long way to- 
wards easing, bridging the gap. However, if, as is currently hap- 
pening, all of the people developing this technology happen to be 
located in Israel, Singapore, Japan, Ireland, and Germany, it is 
going to be pretty tough for the U.S. Government to interact with 
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them and learn and understand and develop products that meet 
the needs of worldwide industry and certainly U.S. industry. 

I think that helps. To me that sort of indicates one of the prob- 
lems with the current policy. It is gambling heavily. 

I do not have a security clearance and I do not know what it was 
that Director McNamara might have been referring to when she 
said she would offer some testimony about the threats of ubiq- 
uitous encryption, she would offer that in a closed session. But 
after this many years in the business and spending a lot of time 
with people who are in that part of it — in fact, I have often awaken 
at night having dreamed that I was served with a clearance for 
some of the things I have probably heard I should not have — I 
think it is fair to say that more than likely it comes down to ubiq- 
uitous encryption increasing the cost and complexity of intelligence 
gathering. 

What we have to weigh against that additional cost is the cost 
to industry in the future. I think for the first time certainly since 
I have been in this business for 14 years, we are starting to actu- 
ally be able to see and identify and quantify some of the costs to 
us of maintaining the current policies. 

So hopefully we can strike that better balance. I think the PRO- 
TECT Act with some additional amendments would strike a far 
better balance than we have now. 

Senator Frist. Thank you. 

Clearly, today’s discussion centers on the security of our Nation, 
the wellbeing of our Nation, and it is clear that we cannot bind the 
hands of our American businesses in this new economy that we 
have all seen really flourish over the last 10, 15, 20 years, and es- 
pecially over the last 3 to 4 years. We need to make sure that we 
can compete nationally, internationally. Otherwise we will sur- 
render our global leadership position. 

As Federal lawmakers and policymakers, we need to be proactive 
and we need to be educated, and thus I thank all of our panelists 
today for participating in that process in this complex policy de- 
bate. 

A number of my colleagues, the chairman and Senator Burns and 
Kerry and Abraham and Wyden and a number of others, have 
worked very hard, and I thank them for their dedication to an 
issue that is incredibly important to business, to security, and to 
the national interest. 

I want to thank this final panel today, as well as the panels ear- 
lier. We will continue to work with you on this very complex but 
very important policy debate. 

With that, we stand adjourned. 

[Whereupon, at 11:45 a.m., the committee was adjourned.] 
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